xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis_level1_server

Guide to the Secure Configuration of Ubuntu 22.04

with profile CIS Ubuntu 22.04 Level 1 Server Benchmark
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Ubuntu 22.04. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	P3tBoul3
Benchmark URL	/tmp/tmp.8mIdL9Hm1k
Benchmark ID	xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04
Profile ID	xccdf_org.ssgproject.content_profile_cis_level1_server
Started at	2025-05-13T15:24:10
Finished at	2025-05-13T15:26:36
Performed by	arthur

CPE Platforms

cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~

Addresses

IPv4 127.0.0.1
IPv4 10.6.7.114
IPv4 172.17.0.1
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:c2a7:4096:86c2:96a9
MAC 00:00:00:00:00:00
MAC 90:E8:68:59:AC:4F
MAC 02:42:02:F3:EF:56

Compliance and Scoring

The target system did not satisfy the conditions of 111 rules! Furthermore, the results of 11 rules were inconclusive. Please review rule results and consider applying remediation.

Rule results

121 passed

111 failed

18 other

Severity of failed rules

8 other

6 low

94 medium

3 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	50.945534	100.000000	50.95%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Ubuntu 22.04 111x fail 9x error 2x unknown 7x notchecked
System Settings 77x fail 9x error 2x unknown 7x notchecked
Installing and Maintaining Software 12x fail 4x error
System and Software Integrity 4x fail
Software Integrity Checking 4x fail
Verify Integrity with AIDE 4x fail
Install AIDE	medium	fail
Build and Test AIDE Database	medium	fail
Configure AIDE to Verify the Audit Tools	medium	fail
Configure Periodic Execution of AIDE	medium	fail
Package "prelink" Must not be Installed	medium	pass
Disk Partitioning 1x fail
Ensure /tmp Located On Separate Partition	low	fail
GNOME Desktop Environment 7x fail
Configure GNOME Login Screen 2x fail
Disable the GNOME3 Login User List	medium	fail
Disable XDMCP in GDM	high	fail
GNOME Media Settings 3x fail
Disable GNOME3 Automounting	medium	fail
Disable GNOME3 Automount Opening	medium	fail
Disable GNOME3 Automount running	low	fail
Configure GNOME Screen Locking 2x fail
Set GNOME3 Screensaver Lock Delay After Activation Period	medium	fail
Enable GNOME3 Screensaver Lock After Idle Period	medium	fail
Sudo 4x error
Install sudo Package	medium	pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty	medium	error
Ensure Sudo Logfile Exists - sudo logfile	low	error
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate	medium	error
Require Re-Authentication When Using the sudo Command	medium	error
Account and Access Control 23x fail 5x error 1x unknown
Warning Banners for System Accesses 4x fail
Implement a GUI Warning Banner 2x fail
Enable GNOME3 Login Warning Banner	medium	fail
Set the GNOME3 Login Warning Banner Text	medium	fail
Modify the System Login Banner	medium	fail
Modify the System Login Banner for Remote Connections	medium	fail
Modify the System Message of the Day Banner	medium	pass
Verify Group Ownership of System Login Banner	medium	pass
Verify Group Ownership of System Login Banner for Remote Connections	medium	pass
Verify Group Ownership of Message of the Day Banner	medium	pass
Verify ownership of System Login Banner	medium	pass
Verify ownership of System Login Banner for Remote Connections	medium	pass
Verify ownership of Message of the Day Banner	medium	pass
Verify permissions on System Login Banner	medium	pass
Verify permissions on System Login Banner for Remote Connections	medium	pass
Verify permissions on Message of the Day Banner	medium	pass
Protect Accounts by Configuring PAM 11x fail
Set Lockouts for Failed Password Attempts 4x fail
Limit Password Reuse	medium	fail
Lock Accounts After Failed Password Attempts	medium	fail
Set Interval For Counting Failed Password Attempts	medium	fail
Set Lockout Time for Failed Password Attempts	medium	fail
Set Password Quality Requirements 6x fail
Set Password Quality Requirements with pam_pwquality 6x fail
Ensure PAM Enforces Password Requirements - Minimum Digit Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Different Categories	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Length	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Special Characters	medium	fail
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session	medium	pass
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters	medium	fail
Set Password Hashing Algorithm 1x fail
Set Password Hashing Algorithm in /etc/login.defs	medium	fail
Protect Accounts by Restricting Password-Based Login 6x fail 4x error
Set Account Expiration Parameters 1x fail
Set Account Expiration Following Inactivity	medium	fail
Ensure All Accounts on the System Have Unique Names	medium	pass
Ensure shadow Group is Empty	medium	pass
Set Password Expiration Parameters 2x fail 2x error
Set Password Maximum Age	medium	fail
Set Password Minimum Age	medium	fail
Set Existing Passwords Maximum Age	medium	error
Set Existing Passwords Minimum Age	medium	error
Set Password Warning Age	medium	pass
Verify Proper Storage and Existence of Password Hashes 1x error
Verify All Account Password Hashes are Shadowed	medium	pass
Ensure all users last password change date is in the past	medium	pass
All GIDs referenced in /etc/passwd must be defined in /etc/group	low	pass
Ensure There Are No Accounts With Blank or Null Passwords	high	error
Verify No .forward Files Exist	medium	pass
Verify No netrc Files Exist	medium	pass
Restrict Root Logins 3x fail 1x error
Verify Only Root Has UID 0	high	pass
Verify Root Has A Primary GID 0	high	pass
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty	medium	fail
Ensure Authentication Required for Single User Mode	medium	error
Ensure that System Accounts Do Not Run a Shell Upon Login	medium	fail
Enforce Usage of pam_wheel with Group Parameter for su Authentication	medium	fail
Ensure All Accounts on the System Have Unique User IDs	medium	pass
Ensure All Groups on the System Have Unique Group ID	medium	pass
Ensure All Groups on the System Have Unique Group Names	medium	pass
Secure Session Configuration Files for Login Accounts 2x fail 1x error 1x unknown
Ensure that No Dangerous Directories Exist in Root's Path
Ensure that Root's Path Does Not Include World or Group-Writable Directories	medium	pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directories	unknown	pass
Ensure that Users Have Sensible Umask Values 2x fail 1x unknown
Ensure the Default Bash Umask is Set Correctly	medium	fail
Ensure the Default Umask is Set Correctly in login.defs	medium	fail
Ensure the Default Umask is Set Correctly in /etc/profile	medium	unknown
Ensure the Default Umask is Set Correctly For Interactive Users	medium	pass
Set Interactive Session Timeout	medium	error
User Initialization Files Must Be Group-Owned By The Primary Group	medium	pass
User Initialization Files Must Not Run World-Writable Programs	medium	pass
User Initialization Files Must Be Owned By the Primary User	medium	pass
All Interactive Users Home Directories Must Exist	medium	pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Group	medium	pass
All Interactive User Home Directories Must Be Owned By The Primary User	medium	pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	medium	pass
AppArmor 1x fail 1x unknown
Ensure AppArmor is installed	medium	pass
All AppArmor Profiles are in enforce or complain mode	medium	unknown
Ensure AppArmor is enabled in the bootloader configuration	medium	fail
GRUB2 bootloader configuration 1x fail
Non-UEFI GRUB2 bootloader configuration
Verify /boot/grub/grub.cfg User Ownership	medium	notapplicable
Verify /boot/grub/grub.cfg Permissions	medium	notapplicable
Set Boot Loader Password in grub2	high	notapplicable
UEFI GRUB2 bootloader configuration 1x fail
Set the UEFI Boot Loader Password	high	fail
Configure Syslog 4x fail
systemd-journald 3x fail
Install systemd-journal-remote Package	medium	fail
Enable systemd-journald Service	medium	pass
Ensure journald is configured to compress large log files	medium	fail
Ensure journald is configured to write log files to persistent disk	medium	fail
Disable systemd-journal-remote Socket	medium	pass
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server	medium	pass
Rsyslog Logs Sent To Remote Host 1x fail
Ensure Logs Sent To Remote Host	medium	fail
Ensure rsyslog is Installed	medium	pass
Enable rsyslog Service	medium	pass
Ensure rsyslog Default File Permissions Configured	medium	pass
Network Configuration and Firewalls 26x fail 7x notchecked
iptables and ip6tables
Inspect and Activate Default Rules
Set Default ip6tables Policy for Incoming Packets	medium	notapplicable
Set configuration for IPv6 loopback traffic	medium	notapplicable
Set configuration for loopback traffic	medium	notapplicable
Strengthen the Default Ruleset
Ensure ip6tables Firewall Rules Exist for All Open Ports	medium	notapplicable
Ensure iptables Firewall Rules Exist for All Open Ports	medium	notapplicable
Set Default iptables Policy for Incoming Packets	medium	notapplicable
Install iptables Package	medium	notapplicable
Remove iptables-persistent Package	medium	pass
IPv6 7x fail
Configure IPv6 Settings if Necessary 7x fail
Configure Accepting Router Advertisements on All IPv6 Interfaces	medium	fail
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	fail
Disable Kernel Parameter for IPv6 Forwarding	medium	fail
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	fail
Kernel Parameters Which Affect Networking 15x fail
Network Related Kernel Runtime Parameters for Hosts and Routers 12x fail
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	pass
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	fail
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	fail
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces	medium	fail
Network Parameters for Hosts Only 3x fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	fail
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	fail
nftables 2x fail 4x notchecked
Install nftables Package	medium	notapplicable
Verify nftables Service is Enabled	medium	fail
Ensure nftables Default Deny Firewall Policy	medium	notchecked
Ensure nftables Rules are Permanent	medium	fail
Ensure Base Chains Exist for Nftables	medium	notchecked
Set nftables Configuration for Loopback Traffic	medium	notchecked
Ensure a Table Exists for Nftables	medium	notchecked
Uncomplicated Firewall (ufw) 1x fail 3x notchecked
Remove ufw Package	medium	fail
Verify ufw Enabled	medium	pass
Ensure ufw Default Deny Firewall Policy	medium	notchecked
Set UFW Loopback Traffic	medium	notchecked
Ensure ufw Firewall Rules Exist for All Open Ports	medium	notchecked
Wireless Networking 1x fail
Disable Wireless Through Software Configuration 1x fail
Deactivate Wireless Network Interfaces	medium	fail
File Permissions and Masks 10x fail
Verify Permissions on Important Files and Directories 2x fail
Verify Permissions on Files with Local Account Information and Credentials
Verify Group Who Owns Backup group File	medium	pass
Verify Group Who Owns Backup gshadow File	medium	pass
Verify Group Who Owns Backup passwd File	medium	pass
Verify User Who Owns Backup shadow File	medium	pass
Verify Group Who Owns group File	medium	pass
Verify Group Who Owns gshadow File	medium	pass
Verify Group Who Owns passwd File	medium	pass
Verify Group Who Owns shadow File	medium	pass
Verify User Who Owns Backup group File	medium	pass
Verify User Who Owns Backup gshadow File	medium	pass
Verify User Who Owns Backup passwd File	medium	pass
Verify Group Who Owns Backup shadow File	medium	pass
Verify User Who Owns group File	medium	pass
Verify User Who Owns gshadow File	medium	pass
Verify User Who Owns passwd File	medium	pass
Verify User Who Owns shadow File	medium	pass
Verify Permissions on Backup group File	medium	pass
Verify Permissions on Backup gshadow File	medium	pass
Verify Permissions on Backup passwd File	medium	pass
Verify Permissions on Backup shadow File	medium	pass
Verify Permissions on group File	medium	pass
Verify Permissions on gshadow File	medium	pass
Verify Permissions on passwd File	medium	pass
Verify Permissions on shadow File	medium	pass
Verify File Permissions Within Some Important Directories
Verify that audit tools are owned by group root	medium	pass
Verify that audit tools are owned by root	medium	pass
Verify that audit tools Have Mode 0755 or less	medium	pass
Verify Permissions on /etc/audit/auditd.conf	medium	pass
Verify Permissions on /etc/audit/rules.d/*.rules	medium	pass
Ensure No World-Writable Files Exist	medium	fail
Ensure All Files Are Owned by a Group	medium	pass
Ensure All Files Are Owned by a User	medium	pass
Verify permissions of log files	medium	fail
Restrict Dynamic Mounting and Unmounting of Filesystems 2x fail
Disable the Automounter	medium	notapplicable
Disable Mounting of cramfs	low	fail
Disable Modprobe Loading of USB Storage Driver	medium	fail
Restrict Partition Mount Options 3x fail
Add nodev Option to /dev/shm	medium	fail
Add noexec Option to /dev/shm	medium	fail
Add nosuid Option to /dev/shm	medium	fail
Add nodev Option to /home	unknown	notapplicable
Add nosuid Option to /home	medium	notapplicable
Add nodev Option to /tmp	medium	notapplicable
Add noexec Option to /tmp	medium	notapplicable
Add nosuid Option to /tmp	medium	notapplicable
Add nodev Option to /var/log/audit	medium	notapplicable
Add noexec Option to /var/log/audit	medium	notapplicable
Add nosuid Option to /var/log/audit	medium	notapplicable
Add nodev Option to /var/log	medium	notapplicable
Add noexec Option to /var/log	medium	notapplicable
Add nosuid Option to /var/log	medium	notapplicable
Add nodev Option to /var	medium	notapplicable
Add nosuid Option to /var	medium	notapplicable
Add nodev Option to /var/tmp	medium	notapplicable
Add noexec Option to /var/tmp	medium	notapplicable
Add nosuid Option to /var/tmp	medium	notapplicable
Restrict Programs from Dangerous Execution Patterns 3x fail
Disable Core Dumps 2x fail
Disable Core Dumps for All Users	medium	fail
Disable Core Dumps for SUID programs	medium	fail
Enable ExecShield 1x fail
Enable Randomized Layout of Virtual Address Space	medium	fail
Services 34x fail
Apport Service 1x fail
Disable Apport Service	unknown	fail
Avahi Server 2x fail
Disable Avahi Server if Possible 2x fail
Uninstall avahi Server Package	medium	fail
Disable Avahi Server Software	medium	fail
Cron and At Daemons 6x fail
Restrict at and cron to Authorized Users if Necessary
Ensure that /etc/at.deny does not exist	medium	pass
Ensure that /etc/cron.deny does not exist	medium	pass
Verify Group Who Owns /etc/at.allow file	medium	pass
Verify Group Who Owns /etc/cron.allow file	medium	pass
Verify User Who Owns /etc/at.allow file	medium	pass
Verify User Who Owns /etc/cron.allow file	medium	pass
Verify Permissions on /etc/at.allow file	medium	pass
Verify Permissions on /etc/cron.allow file	medium	pass
Enable cron Service	medium	pass
Verify Group Who Owns cron.d	medium	pass
Verify Group Who Owns cron.daily	medium	pass
Verify Group Who Owns cron.hourly	medium	pass
Verify Group Who Owns cron.monthly	medium	pass
Verify Group Who Owns cron.weekly	medium	pass
Verify Group Who Owns Crontab	medium	pass
Verify Owner on cron.d	medium	pass
Verify Owner on cron.daily	medium	pass
Verify Owner on cron.hourly	medium	pass
Verify Owner on cron.monthly	medium	pass
Verify Owner on cron.weekly	medium	pass
Verify Owner on crontab	medium	pass
Verify Permissions on cron.d	medium	fail
Verify Permissions on cron.daily	medium	fail
Verify Permissions on cron.hourly	medium	fail
Verify Permissions on cron.monthly	medium	fail
Verify Permissions on cron.weekly	medium	fail
Verify Permissions on crontab	medium	fail
Deprecated services
Uninstall the nis package	low	pass
DHCP
Disable DHCP Server
Uninstall DHCP Server Package	medium	pass
DNS Server
Disable DNS Server
Uninstall bind Package	low	pass
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Package	high	pass
Web Server 1x fail
Disable Apache if Possible 1x fail
Uninstall httpd Package	unknown	fail
Disable NGINX if Possible
Uninstall nginx Package	unknown	pass
IMAP and POP3 Server
Disable Cyrus IMAP
Uninstall cyrus-imapd Package	unknown	pass
Disable Dovecot
Uninstall dovecot Package	unknown	pass
LDAP 1x fail
Configure OpenLDAP Clients 1x fail
Ensure LDAP client is not installed	low	fail
Configure OpenLDAP Server
Uninstall openldap-servers Package	low	pass
Mail Server Software
Configure SMTP For Mail Clients
Disable Postfix Network Listening	medium	notapplicable
Ensure Mail Transfer Agent is not Listening on any non-loopback Address	medium	pass
NFS and RPC
Disable All NFS Services if Possible
Disable Services Used Only by NFS
Uninstall rpcbind Package	low	pass
Uninstall nfs-kernel-server Package	low	pass
Network Time Protocol
Install the systemd_timesyncd Service	high	pass
The Chronyd service is enabled	medium	notapplicable
Enable the NTP Daemon	high	notapplicable
Enable systemd_timesyncd Service	high	pass
Ensure that chronyd is running under chrony user account	medium	notapplicable
Configure server restrictions for ntpd	medium	notapplicable
Configure ntpd To Run As ntp User	medium	notapplicable
Obsolete Services 2x fail
Rlogin, Rsh, and Rexec
Uninstall rsh Package	unknown	pass
Remove Rsh Trust Files	high	notapplicable
Chat/Messaging Services
Uninstall talk Package	medium	pass
Telnet 1x fail
Remove telnet Clients	low	fail
Uninstall rsync Package	medium	fail
Print Support 2x fail
Uninstall CUPS Package	unknown	fail
Disable the CUPS Service	unknown	fail
Proxy Server
Disable Squid if Possible
Uninstall squid Package	unknown	pass
Samba(SMB) Microsoft Windows File Sharing Server
Disable Samba if Possible
Uninstall Samba Package	unknown	pass
SNMP Server
Disable SNMP Server if Possible
Uninstall net-snmp Package	unknown	pass
SSH Server 18x fail
Configure OpenSSH Server if Necessary 17x fail
Set SSH Client Alive Count Max	medium	fail
Set SSH Client Alive Interval	medium	fail
Disable Host-Based Authentication	medium	fail
Disable SSH Access via Empty Passwords	high	fail
Disable SSH Support for .rhosts Files	medium	fail
Disable SSH Root Login	medium	fail
Do Not Allow SSH Environment Options	medium	fail
Enable PAM	medium	pass
Enable SSH Warning Banner	medium	fail
Limit Users' SSH Access	unknown	fail
Ensure SSH LoginGraceTime is configured	medium	fail
Set LogLevel to INFO	low	fail
Set SSH authentication attempt limit	medium	fail
Set SSH MaxSessions limit	medium	fail
Ensure SSH MaxStartups is configured	medium	fail
Use Only Strong Ciphers	medium	fail
Use Only Strong Key Exchange algorithms	medium	fail
Use Only Strong MACs	medium	fail
Verify Group Who Owns SSH Server config file	medium	pass
Verify Owner on SSH Server config file	medium	pass
Verify Permissions on SSH Server config file	medium	fail
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
X Window System 1x fail
Disable X Windows 1x fail
Remove the X Windows Package Group	medium	fail
System Accounting with auditd
Configure auditd Rules for Comprehensive Auditing
System Audit Logs Must Have Mode 0750 or Less Permissive	medium	notapplicable
System Audit Logs Must Be Group Owned By Root	medium	notapplicable
Audit Configuration Files Must Be Owned By Group root	medium	notapplicable
Audit Configuration Files Must Be Owned By Root	medium	notapplicable
System Audit Logs Must Be Owned By Root	medium	notapplicable
System Audit Logs Must Have Mode 0640 or Less Permissive	medium	notapplicable

Result Details

Install AIDE

Rule ID xccdf_org.ssgproject.content_rule_package_aide_installed

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-22-651010, 1.3.1, R76, R79, 11.5.2

Description

The aide package can be installed with the following command:

$ apt-get install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

OVAL details

package aide is installed failed because these items were missing:

Object oval:ssg-obj_test_package_aide_installed:obj:1 of type dpkginfo_object

Name
aide

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Ensure aide is installed
  package:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651010
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_aide_installed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include install_aide

class install_aide {
  package { 'aide':
    ensure => 'installed',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation script: (show)


[[packages]]
name = "aide"
version = "*"

Build and Test AIDE Database

Rule ID xccdf_org.ssgproject.content_rule_aide_build_database

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-22-651015, 1.3.1, R76, R79, 11.5.2

Description

Run the following command to generate a new database:

$ sudo aideinit

By default, the database will be written to the file /var/lib/aide/aide.db.new. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/bin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:

$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

To initiate a manual check, run the following command:

$ sudo /usr/bin/aide --check

If this check produces any unexpected output, investigate.

Rationale

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

OVAL details

Testing existence of operational aide database file failed because these items were missing:

Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type file_object

Filepath
Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1)

Testing existence of operational aide database file failed because these items were missing:

Object oval:ssg-object_aide_operational_database_file:obj:1 of type file_object

Filepath
Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path_no_dbd

Testing existence of configuration for new databases failed because these items were missing:

Object oval:ssg-object_aide_new_database_config:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^database_out=file:@@{DBDIR}/([a-z.]+)$	1

Testing existence of dbdir variable failed because these items were missing:

Object oval:ssg-object_aide_build_database_dirpath:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^@@define[\s]DBDIR[\s]+(/.*)$	1

Testing existence of configuration for new databases failed because these items were missing:

Object oval:ssg-object_aide_new_database_config_no_dbdir:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^database_out=file:([a-z./]+)$	1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Build and Test AIDE Database - Ensure AIDE Is Installed
  ansible.builtin.apt:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Check if DB Path in /etc/aide/aide.conf Is
    Already Set
  ansible.builtin.lineinfile:
    path: /etc/aide/aide.conf
    regexp: ^#?(\s*)(database=)(.*)$
    state: absent
  check_mode: true
  changed_when: false
  register: database_replace
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Check if DB Out Path in /etc/aide/aide.conf
    Is Already Set
  ansible.builtin.lineinfile:
    path: /etc/aide/aide.conf
    regexp: ^#?(\s*)(database_out=)(.*)$
    state: absent
  check_mode: true
  changed_when: false
  register: database_out_replace
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Fix DB Path in Config File if Necessary
  ansible.builtin.lineinfile:
    path: /etc/aide/aide.conf
    regexp: ^#?(\s*)(database)(\s*)=(\s*)(.*)$
    line: \2\3=\4file:/var/lib/aide/aide.db
    backrefs: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - database_replace.found > 0
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Fix DB Out Path in Config File if Necessary
  ansible.builtin.lineinfile:
    path: /etc/aide/aide.conf
    regexp: ^#?(\s*)(database_out)(\s*)=(\s*)(.*)$
    line: \2\3=\4file:/var/lib/aide/aide.db.new
    backrefs: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - database_out_replace.found > 0
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Ensure the Default DB Path is Added
  ansible.builtin.lineinfile:
    path: /etc/aide/aide.conf
    line: database=file:/var/lib/aide/aide.db
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - database_replace.found == 0
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Ensure the Default Out Path is Added
  ansible.builtin.lineinfile:
    path: /etc/aide/aide.conf
    line: database_out=file:/var/lib/aide/aide.db.new
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - database_out_replace.found == 0
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database - Build and Test AIDE Database
  ansible.builtin.command: /usr/sbin/aideinit -y -f
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651015
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"

AIDE_CONFIG=/etc/aide/aide.conf
DEFAULT_DB_PATH=/var/lib/aide/aide.db

# Fix db path in the config file, if necessary
if ! grep -q '^database=file:' ${AIDE_CONFIG}; then
    # replace_or_append gets confused by 'database=file' as a key, so should not be used.
    #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s'
    echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG}
fi

# Fix db out path in the config file, if necessary
if ! grep -q '^database_out=file:' ${AIDE_CONFIG}; then
    echo "database_out=file:${DEFAULT_DB_PATH}.new" >> ${AIDE_CONFIG}
fi

/usr/sbin/aideinit -y -f

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure AIDE to Verify the Audit Tools

Rule ID xccdf_org.ssgproject.content_rule_aide_check_audit_tools

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, UBTU-22-651030, 4.1.4.11

Description

The operating system file integrity tool must be configured to protect the integrity of the audit tools.

Rationale

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

OVAL details

auditctl is checked in /etc/aide/aide.conf failed because these items were missing:

Object oval:ssg-object_aide_verify_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^\/usr\/sbin\/auditctl\s+([^\n]+)$	1

State oval:ssg-state_aide_check_attributes:ste:1 of type textfilecontent54_state

Subexpression
^p\+i\+n\+u\+g\+s\+b\+acl(\|\+selinux)\+xattrs\+sha512$

auditd is checked in /etc/aide/aide.conf failed because these items were missing:

Object oval:ssg-object_aide_verify_auditd:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^/usr/sbin/auditd\s+([^\n]+)$	1

State oval:ssg-state_aide_check_attributes:ste:1 of type textfilecontent54_state

Subexpression
^p\+i\+n\+u\+g\+s\+b\+acl(\|\+selinux)\+xattrs\+sha512$

ausearch is checked in /etc/aide/aide.conf failed because these items were missing:

Object oval:ssg-object_aide_verify_ausearch:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^/usr/sbin/ausearch\s+([^\n]+)$	1

State oval:ssg-state_aide_check_attributes:ste:1 of type textfilecontent54_state

Subexpression
^p\+i\+n\+u\+g\+s\+b\+acl(\|\+selinux)\+xattrs\+sha512$

aureport is checked in /etc/aide/aide.conf failed because these items were missing:

Object oval:ssg-object_aide_verify_aureport:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^/usr/sbin/aureport\s+([^\n]+)$	1

State oval:ssg-state_aide_check_attributes:ste:1 of type textfilecontent54_state

Subexpression
^p\+i\+n\+u\+g\+s\+b\+acl(\|\+selinux)\+xattrs\+sha512$

autrace is checked in /etc/aide/aide.conf failed because these items were missing:

Object oval:ssg-object_aide_verify_autrace:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^/usr/sbin/autrace\s+([^\n]+)$	1

State oval:ssg-state_aide_check_attributes:ste:1 of type textfilecontent54_state

Subexpression
^p\+i\+n\+u\+g\+s\+b\+acl(\|\+selinux)\+xattrs\+sha512$

augenrules is checked in /etc/aide/aide.conf failed because these items were missing:

Object oval:ssg-object_aide_verify_augenrules:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide/aide.conf	^/usr/sbin/augenrules\s+([^\n]+)$	1

State oval:ssg-state_aide_check_attributes:ste:1 of type textfilecontent54_state

Subexpression
^p\+i\+n\+u\+g\+s\+b\+acl(\|\+selinux)\+xattrs\+sha512$

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Configure AIDE to Verify the Audit Tools - Gather List of Packages
  tags:
  - DISA-STIG-UBTU-22-651030
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  ansible.builtin.package_facts:
    manager: auto
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

- name: Ensure aide is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-651030
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set audit_tools fact
  set_fact:
    audit_tools:
    - /usr/sbin/auditctl
    - /usr/sbin/auditd
    - /usr/sbin/augenrules
    - /usr/sbin/aureport
    - /usr/sbin/ausearch
    - /usr/sbin/autrace
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-651030
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure existing AIDE configuration for audit tools are correct
  lineinfile:
    path: /etc/aide/aide.conf
    regexp: ^{{ item }}\s
    line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512'
  with_items: '{{ audit_tools }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-651030
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure AIDE to properly protect audit tools
  lineinfile:
    path: /etc/aide/aide.conf
    line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512'
  with_items: '{{ audit_tools }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-651030
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"








if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Periodic Execution of AIDE

Rule ID xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-22-651025, 1.3.2, R76, 11.5.2

Description

At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/bin/aide --config /etc/aide/aide.conf --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * 0 root /usr/bin/aide --config /etc/aide/aide.conf --check

AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL details

aide check scheduled in crontab for root failed because these items were missing:

Object oval:ssg-obj_root_crontab_aide:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/crontabs/root	aide(\.wrapper)?	1

aide check scheduled in /etc/cron.* failed because these items were missing:

Object oval:ssg-obj_etc_cron_aide:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron\.(daily\|hourly\|weekly)	^.*$	^(?:\/usr\/bin\/)?aide(\.wrapper)?	1

aide check scheduled in /etc/crontab failed because these items were missing:

Object oval:ssg-obj_etc_crontab_aide:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/crontab	[^\s]+\s+[^\s]+\s+\(?:\/[1-7])\s+\\s+[^\s]+\s+(?:\/usr\/bin\/)?aide(\.wrapper)?\s+[^\s]+\s+(?=-C\|--check).	1

systemd aidecheck.service enabled failed because these items were missing:

Object oval:ssg-obj_aidecheck-service_unitfilestate:obj:1 of type systemdunitproperty_object

Unit	Property
aidecheck.service	UnitFileState

State oval:ssg-ste_aide_is_enabled:ste:1 of type systemdunitproperty_state

Value
enabled

systemd aidecheck.timer enabled failed because these items were missing:

Object oval:ssg-obj_aidecheck-timer_unitfilestate:obj:1 of type systemdunitproperty_object

Unit	Property
aidecheck.timer	UnitFileState

State oval:ssg-ste_aide_is_enabled:ste:1 of type systemdunitproperty_state

Value
enabled

systemd aidecheck.timer active failed because these items were missing:

Object oval:ssg-obj_aidecheck-timer_activestate:obj:1 of type systemdunitproperty_object

Unit	Property
aidecheck.timer	ActiveState

State oval:ssg-ste_aide_is_active:ste:1 of type systemdunitproperty_state

Value
active

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - RedHat
  set_fact:
    cron_pkg_name: cronie
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "RedHat" or ansible_os_family == "Suse"
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - Debian
  set_fact:
    cron_pkg_name: cron
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "Debian"
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Install cron
  package:
    name: '{{ cron_pkg_name }}'
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Periodic Execution of AIDE
  cron:
    name: run AIDE check
    minute: 5
    hour: 4
    weekday: 0
    user: root
    job: /usr/bin/aide --check
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - DISA-STIG-UBTU-22-651025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - PCI-DSSv4-11.5.2
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"

# AiDE usually adds its own cron jobs to /etc/cron.daily. If script is there, this rule is
# compliant. Otherwise, we copy the script to the /etc/cron.weekly
if ! grep -Eq '^(\/usr\/bin\/)?aide(\.wrapper)?\s+' /etc/cron.*/*; then
    cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.weekly/
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Package "prelink" Must not be Installed

Rule ID xccdf_org.ssgproject.content_rule_package_prelink_removed

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.5.2

Description

The prelink package can be removed with the following command:

 $ apt-get remove prelink

Rationale

The use of the prelink package can interfere with the operation of AIDE since it binaries. Prelinking can also increase damage caused by vulnerability in a common library like libc.

OVAL details

package prelink is removed passed because these items were not found:

Object oval:ssg-obj_test_package_prelink_removed:obj:1 of type dpkginfo_object

Name
prelink

Ensure /tmp Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_tmp

Result

fail

Time 2025-05-13T15:24:10

Severity low

Identifiers and References

References: 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL details

/tmp on own partition failed because these items were missing:

Object oval:ssg-object_mounttmp_own_partition:obj:1 of type partition_object

Mount point
/tmp

Disable the GNOME3 Login User List

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3

Description

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
disable-user-list=true

Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/login-screen/disable-user-list

After the settings have been set, run dconf update.

Rationale

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

OVAL details

GUI user list is disabled failed because these items were missing:

Object oval:ssg-obj_disable_user_list:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/	^.*$	^\[org/gnome/login-screen\]([^\n]*\n+)+?disable-user-list=true$	1

GUI user list cannot be enabled failed because these items were missing:

Object oval:ssg-obj_prevent_user_disable_user_list:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/locks/	^.*$	^/org/gnome/login-screen/disable-user-list$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
            | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
    sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
then
    echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable XDMCP in GDM

Rule ID xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp

Result

fail

Time 2025-05-13T15:24:10

Severity high

Identifiers and References

References: 1.8.10

Description

XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. XDMCP Gnome docs. To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf. For example:

[xdmcp]
Enable=false

Rationale

XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text.

OVAL details

tests the value of Enable setting in the /etc/gdm3/custom.conf file failed because these items were missing:

Object oval:ssg-obj_gnome_gdm_disable_xdmcp:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/gdm3/custom.conf	^\s\[xdmcp\].(?:\n\s[^[\s].)\n^\sEnable[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

State oval:ssg-state_gnome_gdm_disable_xdmcp:ste:1 of type textfilecontent54_state

Subexpression
^false$

The configuration file /etc/gdm3/custom.conf exists for gnome_gdm_disable_xdmcp failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/gdm3/custom.conf	regular	0	0	554	`rw-r--r--`

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then

# Try find '[xdmcp]' and 'Enable' in '/etc/gdm3/custom.conf', if it exists, set
# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm3/custom.conf'; then
    
    sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm3/custom.conf'
elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm3/custom.conf'; then
    sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm3/custom.conf'
else
    if test -d "/etc/gdm3"; then
        printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm3/custom.conf'
    else
        echo "Config file directory '/etc/gdm3' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable GNOME3 Automounting

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 3.4.2

Description

The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set automount to false in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/media-handling]
automount=false

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/media-handling/automount

After the settings have been set, run dconf update.

Rationale

Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

OVAL details

Disable automount in GNOME3 failed because these items were missing:

Object oval:ssg-obj_dconf_gnome_disable_automount:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$	1

Prevent user from changing automount setting failed because these items were missing:

Object oval:ssg-obj_prevent_user_gnome_automount:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/media-handling/automount$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*automount\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \
            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
    sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/
then
    echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable GNOME3 Automount Opening

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

Description

The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set automount-open to false in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/media-handling]
automount-open=false

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/media-handling/automount-open

After the settings have been set, run dconf update.

Rationale

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

OVAL details

Disable automount-open in GNOME failed because these items were missing:

Object oval:ssg-obj_dconf_gnome_disable_automount_open:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$	1

Prevent user from changing automount-open setting failed because these items were missing:

Object oval:ssg-obj_prevent_user_gnome_automount_open:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/media-handling/automount-open$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \
            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
    sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/
then
    echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable GNOME3 Automount running

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun

Result

fail

Time 2025-05-13T15:24:10

Severity low

Identifiers and References

Description

The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/media-handling]
autorun-never=true

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/media-handling/autorun-never

After the settings have been set, run dconf update.

Rationale

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

OVAL details

Disable autorun in GNOME failed because these items were missing:

Object oval:ssg-obj_dconf_gnome_disable_autorun:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$	1

Prevent user from changing autorun setting failed because these items were missing:

Object oval:ssg-obj_prevent_user_gnome_autorun:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/media-handling/autorun-never$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \
            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
    sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/
then
    echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set GNOME3 Screensaver Lock Delay After Activation Period

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, UBTU-22-271025, 1.8.5, 8.2.8

Description

To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 0 in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-delay=uint32 0

After the settings have been set, run dconf update.

Rationale

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

OVAL details

screensaver lock is set correctly failed because these items were missing:

Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver\]([^\n]\n+)+?lock-delay=uint32[\s][0-9]$	1

screensaver lock delay setting is correct failed because these items were missing:

Object oval:ssg-obj_screensaver_lock_delay_setting:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^lock-delay[\s=]uint32[\s]([^=\s])	1

State oval:ssg-state_screensaver_lock_delay_setting:ste:1 of type textfilecontent54_state

Subexpression
0

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_screensaver_lock_delay='0'


# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable GNOME3 Screensaver Lock After Idle Period

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, UBTU-22-271020, 1.8.4, 8.2.8

Description

To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-enabled=true

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/lock-enabled

After the settings have been set, run dconf update.

Rationale

OVAL details

screensaver lock is enabled failed because these items were missing:

Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-enabled=true$	1

screensaver lock cannot be changed by user failed because these items were missing:

Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/lock-enabled$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
    sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
then
    echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Install sudo Package

Rule ID xccdf_org.ssgproject.content_rule_package_sudo_installed

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1, R33, 2.2.6

Description

The sudo package can be installed with the following command:

$ apt-get install sudo

Rationale

sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

OVAL details

package sudo is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
sudo	amd64	0	1ubuntu2.4	1.9.9	0:1.9.9-1ubuntu2.4

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Rule ID xccdf_org.ssgproject.content_rule_sudo_add_use_pty

Result

error

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: Req-10.2.5, 5.3.2, R39, 2.2.6

Description

The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.

OVAL details

use_pty exists in /etc/sudoers or /etc/sudoers.d/ failed because these items were missing:

Object oval:ssg-object_use_pty_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\|\.d/.*)$	^[\s]Defaults[\s]\buse_pty.*$	1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-10.2.5
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_use_pty

- name: Ensure use_pty is enabled in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults.*\buse_pty\b.*$
    line: Defaults use_pty
    validate: /usr/sbin/visudo -cf %s
  when: '"sudo" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.2.5
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_use_pty

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then

if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option use_pty
        echo "Defaults use_pty" >> /etc/sudoers
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure Sudo Logfile Exists - sudo logfile

Rule ID xccdf_org.ssgproject.content_rule_sudo_custom_logfile

Result

error

Time 2025-05-13T15:24:10

Severity low

Identifiers and References

References: Req-10.2.5, 5.3.3, 2.2.6

Description

A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.

Rationale

A sudo log file simplifies auditing of sudo commands.

OVAL details

logfile exists in /etc/sudoers or /etc/sudoers.d/ failed because these items were missing:

Object oval:ssg-object_logfile_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\|\.d/.*)$	^[\s]Defaults[\s]\blogfile\s=\s(?:"?([^",\s]+)"?).*$	1

State oval:ssg-state_logfile_sudoers:ste:1 of type textfilecontent54_state

Subexpression
/var/log/sudo.logopen(): '/etc/sudoers' Permission denied.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-10.2.5
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile
- name: XCCDF Value var_sudo_logfile # promote to variable
  set_fact:
    var_sudo_logfile: !!str /var/log/sudo.log
  tags:
    - always

- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$
    line: Defaults \1logfile={{ var_sudo_logfile }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_logfile_option
  when: '"sudo" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.2.5
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile

- name: Enable logfile option with appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    line: Defaults logfile={{ var_sudo_logfile }}
    validate: /usr/sbin/visudo -cf %s
  when:
  - '"sudo" in ansible_facts.packages'
  - edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed
  tags:
  - PCI-DSS-Req-10.2.5
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then

var_sudo_logfile='/var/log/sudo.log'


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\blogfile\s*=\s*(?:"?([^",\s]+)"?)\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option logfile
        echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers
    else
        # sudoers file defines Option logfile, remediate if appropriate value is not set
        if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then
            
            escaped_variable=${var_sudo_logfile//$'/'/$'\/'}
            sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule ID xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate

Result

error

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.5

Description

The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

OVAL details

!authenticate does not exist in /etc/sudoers failed because these items were missing:

Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sudoers	^(?!#).[\s]+\!authenticate.$	1

!authenticate does not exist in /etc/sudoers.d failed because these items were missing:

Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sudoers.d	^.*$	^(?!#).[\s]+\!authenticate.$	1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Find /etc/sudoers.d/ files
  ansible.builtin.find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_no_authenticate

- name: Remove lines containing !authenticate from sudoers files
  ansible.builtin.replace:
    regexp: (^(?!#).*[\s]+\!authenticate.*$)
    replace: '# \g<1>'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_no_authenticate

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "!authenticate" matches to preserve user data
      sed -i "s/^${entry}$/# &/g" $f
    done <<< "$matching_list"

    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
  fi
done

Require Re-Authentication When Using the sudo Command

Rule ID xccdf_org.ssgproject.content_rule_sudo_require_reauthentication

Result

error

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.6, 2.2.6

Description

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

Rationale

OVAL details

check correct configuration in /etc/sudoers failed because these items were missing:

Object oval:ssg-obj_sudo_timestamp_timeout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\/etc\/(sudoers\|sudoers\.d\/.*)$	^[\s]Defaults[\s]+timestamp_timeout[\s]=\s[+]?(\d\.\d+\|\d+\.\d*\|\d+)$	1

check correct configuration in /etc/sudoers failed because these items were missing:

Object oval:ssg-obj_sudo_timestamp_timeout_no_signs:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\/etc\/(sudoers\|sudoers\.d\/.*)$	^[\s]Defaults[\s]+timestamp_timeout[\s]=\s[\-](\d\.\d+\|\d+\.\d*\|\d+)$	1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-IA-11
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication
- name: XCCDF Value var_sudo_timestamp_timeout # promote to variable
  set_fact:
    var_sudo_timestamp_timeout: !!str 15
  tags:
    - always

- name: Require Re-Authentication When Using the sudo Command - Find /etc/sudoers.d/*
    files containing 'Defaults timestamp_timeout'
  ansible.builtin.find:
    path: /etc/sudoers.d
    patterns: '*'
    contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
  register: sudoers_d_defaults_timestamp_timeout
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Require Re-Authentication When Using the sudo Command - Remove 'Defaults timestamp_timeout'
    from /etc/sudoers.d/* files
  ansible.builtin.lineinfile:
    path: '{{ item.path }}'
    regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
    state: absent
  with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}'
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Require Re-Authentication When Using the sudo Command - Ensure timestamp_timeout
    has the appropriate value in /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$
    line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_timestamp_timeout_option
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Require Re-Authentication When Using the sudo Command - Enable timestamp_timeout
    option with correct value in /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}
    validate: /usr/sbin/visudo -cf %s
  when:
  - '"sudo" in ansible_facts.packages'
  - |
    edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
  tags:
  - NIST-800-53-IA-11
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Require Re-Authentication When Using the sudo Command - Remove timestamp_timeout
    wrong values in /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!{{ var_sudo_timestamp_timeout
      }}\b)[-]?\w+\b.*$
    state: absent
    validate: /usr/sbin/visudo -cf %s
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then

var_sudo_timestamp_timeout='15'


if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
    find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
fi

if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
        # sudoers file doesn't define Option timestamp_timeout
        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
    else
        # sudoers file defines Option timestamp_timeout, remediate wrong values if present
        if grep -qP "^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!${var_sudo_timestamp_timeout}\b)[-]?\w+\b.*$" /etc/sudoers; then
            sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable GNOME3 Login Warning Banner

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, UBTU-22-271010, 1.8.2

Description

In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
banner-message-enable=true

Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/login-screen/banner-message-enable

After the settings have been set, run dconf update. The banner text must also be set.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

GUI banner is enabled failed because these items were missing:

Object oval:ssg-obj_banner_gui_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/	^.*$	^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable=true$	1

GUI banner cannot be changed by user failed because these items were missing:

Object oval:ssg-obj_prevent_user_banner_gui_enabled_change:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/locks/	^.*$	^/org/gnome/login-screen/banner-message-enable$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \
            | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
    sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/
then
    echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi

dconf update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set the GNOME3 Login Warning Banner Text

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, UBTU-22-271015, 1.8.2

Description

In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/gdm3/greeter.dconf-defaults. For example:

[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'

After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.

Rationale

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

OVAL details

login banner text is correctly set failed because these items were missing:

Object oval:ssg-obj_gdm_login_banner_text_setting:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/	^.*$	^banner-message-text=\s'([^'])'$	1

State oval:ssg-state_gdm_login_banner_text_setting:ste:1 of type textfilecontent54_state

Subexpression
^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$

login banner text is correctly set on gdm3 default failed because these items were missing:

Object oval:ssg-obj_gdm_login_banner_text_setting_gdm3:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/gdm3/greeter.dconf-defaults	^banner-message-text=\s'([^'])'$	1

State oval:ssg-state_gdm_login_banner_text_setting:ste:1 of type textfilecontent54_state

Subexpression
^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then

login_banner_text='^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')

# Will do both approach, since we plan to migrate to checks over dconf db. That way, future updates of the tool
# will pass the check even if we decide to check only for the dconf db path.
if [ -e "/etc/gdm3/greeter.dconf-defaults" ] ; then
    
    LC_ALL=C sed -i "/^\s*banner\-message\-text/Id" "/etc/gdm3/greeter.dconf-defaults"
else
    touch "/etc/gdm3/greeter.dconf-defaults"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/gdm3/greeter.dconf-defaults"

cp "/etc/gdm3/greeter.dconf-defaults" "/etc/gdm3/greeter.dconf-defaults.bak"
# Insert after the line matching the regex '\[org/gnome/login-screen\]'
line_number="$(LC_ALL=C grep -n "\[org/gnome/login-screen\]" "/etc/gdm3/greeter.dconf-defaults.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '\[org/gnome/login-screen\]', insert at
    # the end of the file.
    printf '%s\n' "banner-message-text='${login_banner_text}'" >> "/etc/gdm3/greeter.dconf-defaults"
else
    head -n "$(( line_number ))" "/etc/gdm3/greeter.dconf-defaults.bak" > "/etc/gdm3/greeter.dconf-defaults"
    printf '%s\n' "banner-message-text='${login_banner_text}'" >> "/etc/gdm3/greeter.dconf-defaults"
    tail -n "+$(( line_number + 1 ))" "/etc/gdm3/greeter.dconf-defaults.bak" >> "/etc/gdm3/greeter.dconf-defaults"
fi
# Clean up after ourselves.
rm "/etc/gdm3/greeter.dconf-defaults.bak"
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
    if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}"
    then
        
        sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}"
    fi
fi

[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
then
    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi

escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
then
        sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"
    else
        sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}"
fi

dconf update
# No need to use dconf update, since bash_dconf_settings does that already

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Modify the System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.7.2

Description

To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

correct banner in /etc/issue failed because of these items:

Path	Content
/etc/issue	Ubuntu 22.04.5 LTS \n \l

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

login_banner_text='^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)
cat <<EOF >/etc/issue
$formatted
EOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Modify the System Login Banner for Remote Connections

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue_net

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, UBTU-22-255020, 1.7.3

Description

To configure the system login banner edit /etc/issue.net. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

correct banner in /etc/issue.net failed because of these items:

Path	Content
/etc/issue.net	Ubuntu 22.04.5 LTS

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	unknown

- name: XCCDF Value remote_login_banner_text # promote to variable
  set_fact:
    remote_login_banner_text: !!str ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
  tags:
    - always

- name: Modify the System Login Banner for Remote Connections - ensure correct banner
  copy:
    dest: /etc/issue.net
    content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-255020
  - banner_etc_issue_net
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

remote_login_banner_text='^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\\//g')
formatted=$(echo "$remote_login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue.net
$formatted
EOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Modify the System Message of the Day Banner

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_motd

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.1

Description

To configure the system message banner edit /etc/motd. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

/etc/motd exists passed because these items were not found:

Object oval:ssg-object_banner_etc_motd_exists:obj:1 of type file_object

Filepath
/etc/motd

correct banner in /etc/motd passed because these items were not found:

Object oval:ssg-object_banner_etc_motd:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/motd	^(.*)$	1

State oval:ssg-state_banner_etc_motd:ste:1 of type textfilecontent54_state

Subexpression
^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$

Verify Group Ownership of System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.5

Description

To properly set the group owner of /etc/issue, run the command:

$ sudo chgrp root /etc/issue

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.

OVAL details

Testing group ownership of /etc/issue passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_issue_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue	oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1

Verify Group Ownership of System Login Banner for Remote Connections

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.6, 1.2.8

Description

To properly set the group owner of /etc/issue.net, run the command:

$ sudo chgrp root /etc/issue.net

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.

OVAL details

Testing group ownership of /etc/issue.net passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_issue_net_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue.net	oval:ssg-symlink_file_groupowner_etc_issue_net_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_issue_net_gid_0_0:ste:1

Verify Group Ownership of Message of the Day Banner

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.4

Description

To properly set the group owner of /etc/motd, run the command:

$ sudo chgrp root /etc/motd

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.

OVAL details

Testing group ownership of /etc/motd passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_motd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/motd	oval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1

Verify ownership of System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_issue

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.5

Description

To properly set the owner of /etc/issue, run the command:

$ sudo chown root /etc/issue

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner.

OVAL details

Testing user ownership of /etc/issue passed because these items were not found:

Object oval:ssg-object_file_owner_etc_issue_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue	oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1	oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1

Verify ownership of System Login Banner for Remote Connections

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.6, 1.2.8

Description

To properly set the owner of /etc/issue.net, run the command:

$ sudo chown root /etc/issue.net

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner.

OVAL details

Testing user ownership of /etc/issue.net passed because these items were not found:

Object oval:ssg-object_file_owner_etc_issue_net_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue.net	oval:ssg-symlink_file_owner_etc_issue_net_uid_0:ste:1	oval:ssg-state_file_owner_etc_issue_net_uid_0_0:ste:1

Verify ownership of Message of the Day Banner

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_motd

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.4

Description

To properly set the owner of /etc/motd, run the command:

$ sudo chown root /etc/motd

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner.

OVAL details

Testing user ownership of /etc/motd passed because these items were not found:

Object oval:ssg-object_file_owner_etc_motd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/motd	oval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1	oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1

Verify permissions on System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_issue

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.5

Description

To properly set the permissions of /etc/issue, run the command:

$ sudo chmod 0644 /etc/issue

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner.

OVAL details

Testing mode of /etc/issue passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_issue_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue	oval:ssg-exclude_symlinks__etc_issue:ste:1	oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1

Verify permissions on System Login Banner for Remote Connections

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.6, 1.2.8

Description

To properly set the permissions of /etc/issue.net, run the command:

$ sudo chmod 0644 /etc/issue.net

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner.

OVAL details

Testing mode of /etc/issue.net passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_issue_net_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue.net	oval:ssg-exclude_symlinks__etc_issue_net:ste:1	oval:ssg-state_file_permissions_etc_issue_net_0_mode_0644or_stricter_:ste:1

Verify permissions on Message of the Day Banner

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_motd

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1.7.4

Description

To properly set the permissions of /etc/motd, run the command:

$ sudo chmod 0644 /etc/motd

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner.

OVAL details

Testing mode of /etc/motd passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_motd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/motd	oval:ssg-exclude_symlinks__etc_motd:ste:1	oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1

Limit Password Reuse

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, UBTU-22-611050, 5.4.3, R31, 8.3.7

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Warnings

warning If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.

warning Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files.

OVAL details

Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/common-password failed because these items were missing:

Object oval:ssg-object_accounts_password_pam_unix_remember:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/common-password	^\spassword\s+\[.\]\s+pam_unix\.so.remember=([0-9]).*$	1

State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state

Subexpression
5

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	configure

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-UBTU-22-611050
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - PCI-DSSv4-8.3.7
  - accounts_password_pam_unix_remember
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
- name: XCCDF Value var_password_pam_unix_remember # promote to variable
  set_fact:
    var_password_pam_unix_remember: !!str 5
  tags:
    - always

- name: Limit Password Reuse - Check if the required PAM module option is present
    in /etc/pam.d/common-password
  ansible.builtin.lineinfile:
    path: /etc/pam.d/common-password
    regexp: ^\s*password\s+\[success=[A-Za-z0-9].*\]\s+pam_unix.so\s*.*\sremember\b
    state: absent
  check_mode: true
  changed_when: false
  register: result_pam_module_remember_option_present
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-UBTU-22-611050
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - PCI-DSSv4-8.3.7
  - accounts_password_pam_unix_remember
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Limit Password Reuse - Ensure the "remember" PAM option for "pam_unix.so"
    is included in /etc/pam.d/common-password
  ansible.builtin.lineinfile:
    path: /etc/pam.d/common-password
    backrefs: true
    regexp: ^(\s*password\s+\[success=[A-Za-z0-9].*\]\s+pam_unix.so.*)
    line: \1 remember={{ var_password_pam_unix_remember }}
    state: present
  register: result_pam_remember_add
  when:
  - '"libpam-runtime" in ansible_facts.packages'
  - result_pam_module_remember_option_present.found == 0
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-UBTU-22-611050
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - PCI-DSSv4-8.3.7
  - accounts_password_pam_unix_remember
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Limit Password Reuse - Ensure the required value for "remember" PAM option
    from "pam_unix.so" in /etc/pam.d/common-password
  ansible.builtin.lineinfile:
    path: /etc/pam.d/common-password
    backrefs: true
    regexp: ^(\s*password\s+\[success=[A-Za-z0-9].*\]\s+pam_unix.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
    line: \1\2={{ var_password_pam_unix_remember }} \3
  register: result_pam_remember_edit
  when:
  - '"libpam-runtime" in ansible_facts.packages'
  - result_pam_module_remember_option_present.found > 0
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-UBTU-22-611050
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - PCI-DSSv4-8.3.7
  - accounts_password_pam_unix_remember
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_unix_remember='5'


if [ -e "/etc/pam.d/common-password" ] ; then
    valueRegex="$var_password_pam_unix_remember" defaultValue="$var_password_pam_unix_remember"
    # non-empty values need to be preceded by an equals sign
    [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
    # add an equals sign to non-empty values
    [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

    # fix 'type' if it's wrong
    if grep -q -P "^\\s*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_unix.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_unix.so)/\\1password\\2/" "/etc/pam.d/common-password"
    fi

    # fix 'control' if it's wrong
    if grep -q -P "^\\s*password\\s+(?"'!'"\[success=[[:alnum:]].*\])[[:alnum:]]+\\s+pam_unix.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+)[[:alnum:]]+(\\s+pam_unix.so)/\\1\[success=[[:alnum:]].*\]\\2/" "/etc/pam.d/common-password"
    fi

    # fix the value for 'option' if one exists but does not match 'valueRegex'
    if grep -q -P "^\\s*password\\s+\[success=[[:alnum:]].*\]\\s+pam_unix.so(\\s.+)?\\s+remember(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+\[success=[[:alnum:]].*\]\\s+pam_unix.so(\\s.+)?\\s)remember=[^[:space:]]*/\\1remember${defaultValue}/" "/etc/pam.d/common-password"

    # add 'option=default' if option is not set
    elif grep -q -E "^\\s*password\\s+\[success=[[:alnum:]].*\]\\s+pam_unix.so" < "/etc/pam.d/common-password" &&
            grep    -E "^\\s*password\\s+\[success=[[:alnum:]].*\]\\s+pam_unix.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sremember(=|\\s|\$)" ; then

        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+\[success=[[:alnum:]].*\]\\s+pam_unix.so[^\\n]*)/\\1 remember${defaultValue}/" "/etc/pam.d/common-password"
    # add a new entry if none exists
    elif ! grep -q -P "^\\s*password\\s+\[success=[[:alnum:]].*\]\\s+pam_unix.so(\\s.+)?\\s+remember${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
        echo "password \[success=[[:alnum:]].*\] pam_unix.so remember${defaultValue}" >> "/etc/pam.d/common-password"
    fi
else
    echo "/etc/pam.d/common-password doesn't exist" >&2
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Lock Accounts After Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, UBTU-22-411045, 5.4.2, R31, 8.3.4

Description

This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> Where count should be less than or equal to 4 and greater than 0.

Rationale

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.

Warnings

OVAL details

No more than one pam_unix.so is expected in auth section of common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_common_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sauth.pam_unix\.so	/etc/pam.d/common-auth	1

One and only one occurrence is expected in auth section of common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_common_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sauth\s+required\s+pam_faillock\.so.preauth.[\s\S]^\sauth.pam_unix\.so[\s\S]^\sauth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]^\sauth\s+sufficient\s+pam_faillock\.so\s+authsucc	/etc/pam.d/common-auth	1

One and only one occurrence is expected in common-account failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_common_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\saccount\s+required\s+pam_faillock\.so\s(#.*)?$	/etc/pam.d/common-account	1

Check the expected deny value in common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_common:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]*deny=([0-9]+)

/etc/pam.d/common-auth

State oval:ssg-state_accounts_passwords_pam_faillock_deny_parameter_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
4^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]deny=([0-9]+)

Check the absence of deny parameter in /etc/security/faillock.conf failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]deny[\s]=[\s]*([0-9]+)	/etc/security/faillock.conf	1

Check the absence of deny parameter in common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_common:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]deny=([0-9]+)	/etc/pam.d/common-auth	1

Check the expected deny value in /etc/security/faillock.conf failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*deny[\s]*=[\s]*([0-9]+)

/etc/security/faillock.conf

State oval:ssg-state_accounts_passwords_pam_faillock_deny_parameter_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
4^[\s]deny[\s]=[\s]*([0-9]+)

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_accounts_passwords_pam_faillock_deny='4'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
pam_file="/etc/pam.d/common-auth"
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
    # insert at the top
    sed -i --follow-symlinks '/^# here are the per-package modules/i auth        required      pam_faillock.so preauth' "$pam_file"
fi
if ! grep -qE '^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then

    num_lines=$(sed -n 's/^\s*auth.*success=\([1-9]\).*pam_unix\.so.*/\1/p' "$pam_file")
    if [ ! -z "$num_lines" ]; then

        # Add pam_faillock (authfail) module below pam_unix, skipping N-1 lines, where N is
        # the number of jumps in the pam_unix success=N statement. Ignore commented and empty lines.

        append_position=$(cat -n "${pam_file}" \
                          | grep -P "^\s+\d+\s+auth\s+.*$" \
                          | grep -w "pam_unix.so" -A $(( num_lines - 1 )) \
                          | tail -n 1 | cut -f 1 | tr -d ' '
                         )
        sed -i --follow-symlinks ''${append_position}'a auth        [default=die]      pam_faillock.so authfail' "$pam_file"
    else
        sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/a auth        [default=die]      pam_faillock.so authfail' "$pam_file"
    fi
fi
if ! grep -qE '^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$' "$pam_file" ; then
    sed -i --follow-symlinks '/^auth.*pam_faillock\.so.*authfail.*/a auth        sufficient      pam_faillock.so authsucc' "$pam_file"
fi

pam_file="/etc/pam.d/common-account"
if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
    echo 'account   required     pam_faillock.so' >> "$pam_file"
fi

fi

AUTH_FILES=("/etc/pam.d/common-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*deny\s*="
    line="deny = $var_accounts_passwords_pam_faillock_deny"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line >> $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" >&2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
        fi
    done
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Interval For Counting Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, UBTU-22-411045, 5.4.2, R31

Description

Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Ensure that the file /etc/security/faillock.conf contains the following entry: fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater.

Rationale

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Warnings

OVAL details

No more than one pam_unix.so is expected in auth section of common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_common_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sauth.pam_unix\.so	/etc/pam.d/common-auth	1

One and only one occurrence is expected in auth section of common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_common_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sauth\s+required\s+pam_faillock\.so.preauth.[\s\S]^\sauth.pam_unix\.so[\s\S]^\sauth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]^\sauth\s+sufficient\s+pam_faillock\.so\s+authsucc	/etc/pam.d/common-auth	1

One and only one occurrence is expected in common-account failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_common_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\saccount\s+required\s+pam_faillock\.so\s(#.*)?$	/etc/pam.d/common-account	1

Check the expected fail_interval value in common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_common:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

900

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]*fail_interval=([0-9]+)

/etc/pam.d/common-auth

State oval:ssg-state_accounts_passwords_pam_faillock_fail_interval_parameter_lower_bound:ste:1 of type textfilecontent54_state

Subexpression
900^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]fail_interval=([0-9]+)

Check the absence of fail_interval parameter in /etc/security/faillock.conf failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]fail_interval[\s]=[\s]*([0-9]+)	/etc/security/faillock.conf	1

Check the absence of fail_interval parameter in common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_common:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]fail_interval=([0-9]+)	/etc/pam.d/common-auth	1

Check the expected fail_interval value in /etc/security/faillock.conf failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

900

^[\s]*fail_interval[\s]*=[\s]*([0-9]+)

/etc/security/faillock.conf

State oval:ssg-state_accounts_passwords_pam_faillock_fail_interval_parameter_lower_bound:ste:1 of type textfilecontent54_state

Subexpression
900^[\s]fail_interval[\s]=[\s]*([0-9]+)

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_accounts_passwords_pam_faillock_fail_interval='900'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
pam_file="/etc/pam.d/common-auth"
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
    # insert at the top
    sed -i --follow-symlinks '/^# here are the per-package modules/i auth        required      pam_faillock.so preauth' "$pam_file"
fi
if ! grep -qE '^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then

    num_lines=$(sed -n 's/^\s*auth.*success=\([1-9]\).*pam_unix\.so.*/\1/p' "$pam_file")
    if [ ! -z "$num_lines" ]; then

        # Add pam_faillock (authfail) module below pam_unix, skipping N-1 lines, where N is
        # the number of jumps in the pam_unix success=N statement. Ignore commented and empty lines.

        append_position=$(cat -n "${pam_file}" \
                          | grep -P "^\s+\d+\s+auth\s+.*$" \
                          | grep -w "pam_unix.so" -A $(( num_lines - 1 )) \
                          | tail -n 1 | cut -f 1 | tr -d ' '
                         )
        sed -i --follow-symlinks ''${append_position}'a auth        [default=die]      pam_faillock.so authfail' "$pam_file"
    else
        sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/a auth        [default=die]      pam_faillock.so authfail' "$pam_file"
    fi
fi
if ! grep -qE '^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$' "$pam_file" ; then
    sed -i --follow-symlinks '/^auth.*pam_faillock\.so.*authfail.*/a auth        sufficient      pam_faillock.so authsucc' "$pam_file"
fi

pam_file="/etc/pam.d/common-account"
if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
    echo 'account   required     pam_faillock.so' >> "$pam_file"
fi

fi

AUTH_FILES=("/etc/pam.d/common-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*fail_interval\s*="
    line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line >> $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" >&2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
        fi
    done
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Lockout Time for Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, UBTU-22-411045, 5.4.2, R31, 8.3.4

Description

This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. Ensure that the file /etc/security/faillock.conf contains the following entry: unlock_time=<interval-in-seconds> where interval-in-seconds is 600 or greater. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool.

Rationale

Warnings

warning If the system supports the new /etc/security/faillock.conf file but the pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter to /etc/security/faillock.conf to ensure compatibility with authselect tool. The parameters deny and fail_interval, if used, also have to be migrated by their respective remediation.

OVAL details

No more than one pam_unix.so is expected in auth section of common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_common_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sauth.pam_unix\.so	/etc/pam.d/common-auth	1

One and only one occurrence is expected in auth section of common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_common_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sauth\s+required\s+pam_faillock\.so.preauth.[\s\S]^\sauth.pam_unix\.so[\s\S]^\sauth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]^\sauth\s+sufficient\s+pam_faillock\.so\s+authsucc	/etc/pam.d/common-auth	1

One and only one occurrence is expected in common-account failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_common_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\saccount\s+required\s+pam_faillock\.so\s(#.*)?$	/etc/pam.d/common-account	1

Check the expected unlock_time value in common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_common:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

600

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]*unlock_time=([0-9]+)

/etc/pam.d/common-auth

State oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound:ste:1 of type textfilecontent54_state

Subexpression
600^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]unlock_time=([0-9]+)

Check the absence of unlock_time parameter in /etc/security/faillock.conf failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]unlock_time[\s]=[\s]*([0-9]+)	/etc/security/faillock.conf	1

Check the absence of unlock_time parameter in common-auth failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_common:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]unlock_time=([0-9]+)	/etc/pam.d/common-auth	1

Check the expected unlock_time value in /etc/security/faillock.conf failed because these items were missing:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

600

^[\s]*unlock_time[\s]*=[\s]*([0-9]+)

/etc/security/faillock.conf

State oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound:ste:1 of type textfilecontent54_state

Subexpression
600^[\s]unlock_time[\s]=[\s]*([0-9]+)

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_accounts_passwords_pam_faillock_unlock_time='600'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
pam_file="/etc/pam.d/common-auth"
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
    # insert at the top
    sed -i --follow-symlinks '/^# here are the per-package modules/i auth        required      pam_faillock.so preauth' "$pam_file"
fi
if ! grep -qE '^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then

    num_lines=$(sed -n 's/^\s*auth.*success=\([1-9]\).*pam_unix\.so.*/\1/p' "$pam_file")
    if [ ! -z "$num_lines" ]; then

        # Add pam_faillock (authfail) module below pam_unix, skipping N-1 lines, where N is
        # the number of jumps in the pam_unix success=N statement. Ignore commented and empty lines.

        append_position=$(cat -n "${pam_file}" \
                          | grep -P "^\s+\d+\s+auth\s+.*$" \
                          | grep -w "pam_unix.so" -A $(( num_lines - 1 )) \
                          | tail -n 1 | cut -f 1 | tr -d ' '
                         )
        sed -i --follow-symlinks ''${append_position}'a auth        [default=die]      pam_faillock.so authfail' "$pam_file"
    else
        sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/a auth        [default=die]      pam_faillock.so authfail' "$pam_file"
    fi
fi
if ! grep -qE '^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$' "$pam_file" ; then
    sed -i --follow-symlinks '/^auth.*pam_faillock\.so.*authfail.*/a auth        sufficient      pam_faillock.so authsucc' "$pam_file"
fi

pam_file="/etc/pam.d/common-account"
if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
    echo 'account   required     pam_faillock.so' >> "$pam_file"
fi

fi

AUTH_FILES=("/etc/pam.d/common-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*unlock_time\s*="
    line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line >> $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" >&2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
        fi
    done
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, UBTU-22-611020, 5.4.1, R31, 8.3.6

Description

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf failed because these items were missing:

Object oval:ssg-obj_password_pam_pwquality_dcredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\sdcredit[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_dcredit:ste:1 of type textfilecontent54_state

Subexpression
-1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-611020
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - PCI-DSSv4-8.3.6
  - accounts_password_pam_dcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_dcredit # promote to variable
  set_fact:
    var_password_pam_dcredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Ensure
    PAM variable dcredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*dcredit
    line: dcredit = {{ var_password_pam_dcredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-611020
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - PCI-DSSv4-8.3.6
  - accounts_password_pam_dcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_dcredit='-1'






# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, UBTU-22-611015, 5.4.1, R31, 8.3.6

Description

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf failed because these items were missing:

Object oval:ssg-obj_password_pam_pwquality_lcredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\slcredit[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_lcredit:ste:1 of type textfilecontent54_state

Subexpression
-1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-611015
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - PCI-DSSv4-8.3.6
  - accounts_password_pam_lcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_lcredit # promote to variable
  set_fact:
    var_password_pam_lcredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters -
    Ensure PAM variable lcredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*lcredit
    line: lcredit = {{ var_password_pam_lcredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-611015
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - PCI-DSSv4-8.3.6
  - accounts_password_pam_lcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_lcredit='-1'






# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, 5.4.1, R68

Description

The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf failed because these items were missing:

Object oval:ssg-obj_password_pam_pwquality_minclass:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\sminclass[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_minclass:ste:1 of type textfilecontent54_state

Subexpression
4

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_minclass
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minclass # promote to variable
  set_fact:
    var_password_pam_minclass: !!str 4
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories -
    Ensure PAM variable minclass is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minclass
    line: minclass = {{ var_password_pam_minclass }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_minclass
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_minclass='4'






# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, UBTU-22-611035, 5.4.1, R31, R68, 8.3.6

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=14 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

OVAL details

check the configuration of /etc/security/pwquality.conf failed because these items were missing:

Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\sminlen[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_minlen:ste:1 of type textfilecontent54_state

Subexpression
14

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-UBTU-22-611035
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - PCI-DSSv4-8.3.6
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minlen # promote to variable
  set_fact:
    var_password_pam_minlen: !!str 14
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable
    minlen is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minlen
    line: minlen = {{ var_password_pam_minlen }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-UBTU-22-611035
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - PCI-DSSv4-8.3.6
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_minlen='14'






# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Minimum Special Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, UBTU-22-611025, 5.4.1, R31

Description

The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf failed because these items were missing:

Object oval:ssg-obj_password_pam_pwquality_ocredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\socredit[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_ocredit:ste:1 of type textfilecontent54_state

Subexpression
-1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-611025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_ocredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_ocredit # promote to variable
  set_fact:
    var_password_pam_ocredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters - Ensure
    PAM variable ocredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*ocredit
    line: ocredit = {{ var_password_pam_ocredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-611025
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_ocredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_ocredit='-1'






# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ocredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ocredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_retry

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, UBTU-22-611045, 5.4.1, R68

Description

To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/common-password to show retry=3, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.

Rationale

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

OVAL details

check the configuration of /etc/pam.d/common-password passed because of these items:

Path	Content
/etc/pam.d/common-password	password requisite pam_pwquality.so retry=3

check the configuration of /etc/pam.d/common-password passed because of these items:

Path	Content
/etc/pam.d/common-password	password requisite pam_pwquality.so retry=3

check the configuration of /etc/security/pwquality.conf passed because these items were not found:

Object oval:ssg-obj_password_pam_pwquality_retry_pwquality_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^[\s]retry[\s]=[\s]*(\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_retry_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
3

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, UBTU-22-611010, 5.4.1, R31

Description

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale

OVAL details

check the configuration of /etc/security/pwquality.conf failed because these items were missing:

Object oval:ssg-obj_password_pam_pwquality_ucredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\sucredit[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

State oval:ssg-state_password_pam_ucredit:ste:1 of type textfilecontent54_state

Subexpression
-1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-611010
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_ucredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_ucredit # promote to variable
  set_fact:
    var_password_pam_ucredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters -
    Ensure PAM variable ucredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*ucredit
    line: ucredit = {{ var_password_pam_ucredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-611010
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_ucredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_ucredit='-1'






# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Password Hashing Algorithm in /etc/login.defs

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, UBTU-22-611070, 5.4.4, 8.3.2

Description

In /etc/login.defs, add or correct the following line to ensure the system will use yescrypt as the hashing algorithm:

ENCRYPT_METHOD yescrypt

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

OVAL details

The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs failed because of these items:

Var ref	Value
oval:ssg-variable_last_encrypt_method_instance_value:var:1	SHA512

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var_password_hashing_algorithm='yescrypt'

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ENCRYPT_METHOD")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_password_hashing_algorithm"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ENCRYPT_METHOD\\>" "/etc/login.defs"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^ENCRYPT_METHOD\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Account Expiration Following Inactivity

Rule ID xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, UBTU-22-411035, 5.5.1.4, 8.2.6

Description

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:

INACTIVE=30

If a password is currently on the verge of expiration, then 30 day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus 30 day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.

Rationale

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

OVAL details

the value INACTIVE parameter should be set appropriately in /etc/default/useradd failed because these items were missing:

Object oval:ssg-object_etc_default_useradd_inactive:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/useradd	^\sINACTIVE\s=\s(\d+)\s$	1

State oval:ssg-state_etc_default_useradd_inactive:ste:1 of type textfilecontent54_state

Subexpression
30

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var_account_disable_post_pw_expiration='30'


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE")

# shellcheck disable=SC2059
printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
else
    if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/default/useradd"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure All Accounts on the System Have Unique Names

Rule ID

xccdf_org.ssgproject.content_rule_account_unique_name

Result

pass

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: 5.5.2, CCI-000770, CCI-000804, Req-8.1.1, 6.2.7, 8.2.1

Description

Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command:

$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d

If a username is returned, change or delete the username.

Rationale

Unique usernames allow for accountability on the system.

OVAL details

There should not exist duplicate user name entries in /etc/passwd passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1	50

Ensure shadow Group is Empty

Rule ID

xccdf_org.ssgproject.content_rule_ensure_shadow_group_empty

Result

pass

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: Req-8.2.1, 6.2.4, 8.3.2

Description

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Rationale

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Warnings

warning This rule remediation will ensure the group membership is empty in /etc/group. To avoid any disruption the remediation won't change the primary group of users in /etc/passwd if any user has the shadow GID as primary group.

OVAL details

shadow group is empty passed because of these items:

Path	Content
/etc/group	shadow:x:42:

no user is assigned to the shadow group passed because these items were not found:

Object oval:ssg-obj_etc_passwd_user_has_shadow_group:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^.:.:.:42:.:.:.$	/etc/passwd	1

Set Password Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, UBTU-22-411030, 5.5.1.2, 8.3.9

Description

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS 365

A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 365.

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

OVAL details

The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs failed because of these items:

Var ref	Value
oval:ssg-variable_last_pass_max_days_instance_value:var:1	99999

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var_accounts_maximum_age_login_defs='365'

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_MAX_DAYS")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_maximum_age_login_defs"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^PASS_MAX_DAYS\\>" "/etc/login.defs"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^PASS_MAX_DAYS\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Password Minimum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, UBTU-22-411025, 5.5.1.1

Description

To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_DAYS 1

A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 1.

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

OVAL details

The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs failed because of these items:

Var ref	Value
oval:ssg-variable_last_pass_min_days_instance_value:var:1	0

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var_accounts_minimum_age_login_defs='1'

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_MIN_DAYS")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_minimum_age_login_defs"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^PASS_MIN_DAYS\\>" "/etc/login.defs"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^PASS_MIN_DAYS\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Existing Passwords Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing

Result

error

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, 5.5.1.2, 8.3.9

Description

Configure non-compliant accounts to enforce a 365-day maximum password lifetime restriction by running the following command:

$ sudo chage -M 365
          USER

Rationale

OVAL details

Compares a specific field in /etc/shadow with a specific variable value failed because these items were missing:

Object oval:ssg-object_test_accounts_password_set_max_life_existing_password_max_life_existing:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^(?:[^:]:)(?:[^\!\:]:)(?:[^:]:){2}(\d+):(?:[^:]:){3}(?:[^:])$	1

State oval:ssg-state_test_accounts_password_set_max_life_existing_password_max_life_existing:ste:1 of type textfilecontent54_state

Subexpression
365open(): '/etc/shadow' Permission denied.

Compares a specific field in /etc/shadow with a specific variable value failed because these items were missing:

Object oval:ssg-object_test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^(?:[^:]:)(?:[^\!\:]:)(?:[^:]:){2}(\d+):(?:[^:]:){3}(?:[^:])$	1

State oval:ssg-state_test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:ste:1 of type textfilecontent54_state

Subexpression
1open(): '/etc/shadow' Permission denied.

Passwords must have the maximum password age set non-empty in /etc/shadow. failed because these items were missing:

Object oval:ssg-object_accounts_password_set_max_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^(?:[^:]:)(?:[^\!\:]+:)(?:[^:]:){2}():(?:[^:]:){3}(?:[^:]*)$	1

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


var_accounts_maximum_age_login_defs='365'


while IFS= read -r i; do
    
    chage -M $var_accounts_maximum_age_login_defs $i

done <   <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow)

Set Existing Passwords Minimum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing

Result

error

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, 5.5.1.1

Description

Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:

$ sudo chage -m 1 USER

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

OVAL details

Compares a specific field in /etc/shadow with a specific variable value failed because these items were missing:

Object oval:ssg-object_test_accounts_password_set_min_life_existing_password_max_life_existing:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^(?:[^:]:)(?:[^\!\:]:)(?:[^:]:)(\d+):(?:[^:]:){4}(?:[^:])$	1

State oval:ssg-state_test_accounts_password_set_min_life_existing_password_max_life_existing:ste:1 of type textfilecontent54_state

Subexpression
365open(): '/etc/shadow' Permission denied.

Compares a specific field in /etc/shadow with a specific variable value failed because these items were missing:

Object oval:ssg-object_test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^(?:[^:]:)(?:[^\!\:]:)(?:[^:]:)(\d+):(?:[^:]:){4}(?:[^:])$	1

State oval:ssg-state_test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:ste:1 of type textfilecontent54_state

Subexpression
1open(): '/etc/shadow' Permission denied.

Passwords must have the maximum password age set non-empty in /etc/shadow. failed because these items were missing:

Object oval:ssg-object_accounts_password_set_min_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^(?:[^:]:)(?:[^\!\:]+:)(?:[^:]:)():(?:[^:]:){4}(?:[^:]*)$	1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
  set_fact:
    var_accounts_minimum_age_login_defs: !!str 1
  tags:
    - always

- name: Collect users with not correct minimum time period between password changes
  command: |
    awk -F':' '(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}' /etc/shadow
  register: user_names
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - accounts_password_set_min_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Change the minimum time period between password changes
  command: |
    chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }}
  with_items: '{{ user_names.stdout_lines }}'
  when: user_names.stdout_lines | length > 0
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - accounts_password_set_min_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


var_accounts_minimum_age_login_defs='1'


while IFS= read -r i; do
    
    chage -m $var_accounts_minimum_age_login_defs $i

done <   <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow)

Set Password Warning Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 0418, 1055, 1402, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(f), IA-5(1)(d), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.2.4, 5.5.1.3, 8.3.9

Description

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:

PASS_WARN_AGE 7

The DoD requirement is 7. The profile requirement is 7.

Rationale

Setting the password warning age enables users to make the change at a practical time.

OVAL details

The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs passed because of these items:

Var ref	Value
oval:ssg-variable_last_pass_warn_age_instance_value:var:1	7

Verify All Account Password Hashes are Shadowed

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 1410, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(h), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 6.2.1, 8.3.2

Description

If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

Rationale

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

OVAL details

password hashes are shadowed passed because of these items:

Username	User id	Group id	Gcos	Home dir	Login shell	Last login
root	0	0	root	/root	/bin/bash	0
daemon	1	1	daemon	/usr/sbin	/usr/sbin/nologin	0
bin	2	2	bin	/bin	/usr/sbin/nologin	0
sys	3	3	sys	/dev	/usr/sbin/nologin	0
sync	4	65534	sync	/bin	/bin/sync	0
games	5	60	games	/usr/games	/usr/sbin/nologin	0
man	6	12	man	/var/cache/man	/usr/sbin/nologin	0
lp	7	7	lp	/var/spool/lpd	/usr/sbin/nologin	0
mail	8	8	mail	/var/mail	/usr/sbin/nologin	0
news	9	9	news	/var/spool/news	/usr/sbin/nologin	0
uucp	10	10	uucp	/var/spool/uucp	/usr/sbin/nologin	0
proxy	13	13	proxy	/bin	/usr/sbin/nologin	0
www-data	33	33	www-data	/var/www	/usr/sbin/nologin	0
backup	34	34	backup	/var/backups	/usr/sbin/nologin	0
list	38	38	Mailing List Manager	/var/list	/usr/sbin/nologin	0
irc	39	39	ircd	/run/ircd	/usr/sbin/nologin	0
gnats	41	41	Gnats Bug-Reporting System (admin)	/var/lib/gnats	/usr/sbin/nologin	0
nobody	65534	65534	nobody	/nonexistent	/usr/sbin/nologin	-1
systemd-network	100	102	systemd Network Management,,,	/run/systemd	/usr/sbin/nologin	0
systemd-resolve	101	103	systemd Resolver,,,	/run/systemd	/usr/sbin/nologin	0
messagebus	102	105		/nonexistent	/usr/sbin/nologin	0
systemd-timesync	103	106	systemd Time Synchronization,,,	/run/systemd	/usr/sbin/nologin	0
syslog	104	111		/home/syslog	/usr/sbin/nologin	0
_apt	105	65534		/nonexistent	/usr/sbin/nologin	0
tss	106	113	TPM software stack,,,	/var/lib/tpm	/bin/false	0
uuidd	107	116		/run/uuidd	/usr/sbin/nologin	0
systemd-oom	108	117	systemd Userspace OOM Killer,,,	/run/systemd	/usr/sbin/nologin	0
tcpdump	109	118		/nonexistent	/usr/sbin/nologin	0
avahi-autoipd	110	119	Avahi autoip daemon,,,	/var/lib/avahi-autoipd	/usr/sbin/nologin	0
usbmux	111	46	usbmux daemon,,,	/var/lib/usbmux	/usr/sbin/nologin	0
dnsmasq	112	65534	dnsmasq,,,	/var/lib/misc	/usr/sbin/nologin	0
kernoops	113	65534	Kernel Oops Tracking Daemon,,,	/	/usr/sbin/nologin	0
avahi	114	121	Avahi mDNS daemon,,,	/run/avahi-daemon	/usr/sbin/nologin	0
cups-pk-helper	115	122	user for cups-pk-helper service,,,	/home/cups-pk-helper	/usr/sbin/nologin	0
rtkit	116	123	RealtimeKit,,,	/proc	/usr/sbin/nologin	0
whoopsie	117	124		/nonexistent	/bin/false	0
sssd	118	125	SSSD system user,,,	/var/lib/sss	/usr/sbin/nologin	0
speech-dispatcher	119	29	Speech Dispatcher,,,	/run/speech-dispatcher	/bin/false	0
fwupd-refresh	120	126	fwupd-refresh user,,,	/run/systemd	/usr/sbin/nologin	0
nm-openvpn	121	127	NetworkManager OpenVPN,,,	/var/lib/openvpn/chroot	/usr/sbin/nologin	0
saned	122	129		/var/lib/saned	/usr/sbin/nologin	0
colord	123	130	colord colour management daemon,,,	/var/lib/colord	/usr/sbin/nologin	0
geoclue	124	131		/var/lib/geoclue	/usr/sbin/nologin	0
pulse	125	132	PulseAudio daemon,,,	/run/pulse	/usr/sbin/nologin	0
gnome-initial-setup	126	65534		/run/gnome-initial-setup/	/bin/false	0
hplip	127	7	HPLIP system user,,,	/run/hplip	/bin/false	0
gdm	128	134	Gnome Display Manager	/var/lib/gdm3	/bin/false	0
arthur	1000	1000	Arthur,,,	/home/arthur	/bin/bash	0
sshd	129	65534		/run/sshd	/usr/sbin/nologin	0
debian-tor	130	138		/var/lib/tor	/bin/false	0

Ensure all users last password change date is in the past

Rule ID

xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past

Result

pass

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: 5.5.1.5, 8.3.5

Description

All users should have a password change date in the past.

Rationale

If a user recorded password change date is in the future then they could bypass any set password expiration.

Warnings

warning Automatic remediation is not available, in order to avoid any system disruption.

OVAL details

Check if the password last chage time is less than or equal today. passed because of these items:

Var ref
oval:ssg-var_accounts_password_last_change_time_diff:var:1

Check the inexistence of users with a password defined passed because these items were not found:

Object oval:ssg-object_accounts_password_all_chage_in_past:obj:1 of type shadow_object

Username	Filter
.*	oval:ssg-state_accounts_password_all_chage_past_has_no_password:ste:1

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule ID

xccdf_org.ssgproject.content_rule_gid_passwd_group_same

Result

pass

Time

2025-05-13T15:24:10

Severity

low

Identifiers and References

References: 1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000764, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.5.a, SRG-OS-000104-GPOS-00051, 6.2.3, 8.2.2

Description

Add a group to the system for each GID referenced without a corresponding group.

Rationale

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

OVAL details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group passed because of these items:

Path	Content
/etc/passwd	bin:x:2:2:
/etc/passwd	sys:x:3:3:
/etc/passwd	sync:x:4:65534:
/etc/passwd	games:x:5:60:
/etc/passwd	man:x:6:12:
/etc/passwd	lp:x:7:7:
/etc/passwd	mail:x:8:8:
/etc/passwd	root:x:0:0:
/etc/passwd	daemon:x:1:1:
/etc/passwd	news:x:9:9:
/etc/passwd	uucp:x:10:10:
/etc/passwd	proxy:x:13:13:
/etc/passwd	www-data:x:33:33:
/etc/passwd	backup:x:34:34:
/etc/passwd	list:x:38:38:
/etc/passwd	irc:x:39:39:
/etc/passwd	gnats:x:41:41:
/etc/passwd	nobody:x:65534:65534:
/etc/passwd	systemd-network:x:100:102:
/etc/passwd	systemd-resolve:x:101:103:
/etc/passwd	messagebus:x:102:105:
/etc/passwd	systemd-timesync:x:103:106:
/etc/passwd	syslog:x:104:111:
/etc/passwd	_apt:x:105:65534:
/etc/passwd	tss:x:106:113:
/etc/passwd	uuidd:x:107:116:
/etc/passwd	systemd-oom:x:108:117:
/etc/passwd	tcpdump:x:109:118:
/etc/passwd	avahi-autoipd:x:110:119:
/etc/passwd	usbmux:x:111:46:
/etc/passwd	dnsmasq:x:112:65534:
/etc/passwd	kernoops:x:113:65534:
/etc/passwd	avahi:x:114:121:
/etc/passwd	cups-pk-helper:x:115:122:
/etc/passwd	rtkit:x:116:123:
/etc/passwd	whoopsie:x:117:124:
/etc/passwd	sssd:x:118:125:
/etc/passwd	speech-dispatcher:x:119:29:
/etc/passwd	fwupd-refresh:x:120:126:
/etc/passwd	nm-openvpn:x:121:127:
/etc/passwd	saned:x:122:129:
/etc/passwd	colord:x:123:130:
/etc/passwd	geoclue:x:124:131:
/etc/passwd	pulse:x:125:132:
/etc/passwd	gnome-initial-setup:x:126:65534:
/etc/passwd	hplip:x:127:7:
/etc/passwd	gdm:x:128:134:
/etc/passwd	arthur:x:1000:1000:
/etc/passwd	sshd:x:129:65534:
/etc/passwd	debian-tor:x:130:138:

Ensure There Are No Accounts With Blank or Null Passwords

Rule ID xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow

Result

error

Time 2025-05-13T15:24:10

Severity high

Identifiers and References

References: CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, UBTU-22-611065, 6.2.2, 2.2.2

Description

Check the "/etc/shadow" file for blank passwords with the following command:

$ sudo awk -F: '!$2 {print $1}' /etc/shadow

If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset:

$ sudo passwd [username]

Lock an account:

$ sudo passwd -l [username]

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Warnings

warning Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

OVAL details

make sure there aren't blank or null passwords in /etc/shadow failed because these items were missing:

Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^[^:]+::.*$	1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Collect users with no password
  command: |
    awk -F: '!$2 {print $1}' /etc/shadow
  register: users_nopasswd
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-611065
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-2.2.2
  - high_severity
  - low_complexity
  - low_disruption
  - no_empty_passwords_etc_shadow
  - no_reboot_needed
  - restrict_strategy

- name: Lock users with no password
  command: |
    passwd -l {{ item }}
  with_items: '{{ users_nopasswd.stdout_lines }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0
  tags:
  - DISA-STIG-UBTU-22-611065
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-2.2.2
  - high_severity
  - low_complexity
  - low_disruption
  - no_empty_passwords_etc_shadow
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)

for user_with_empty_pass in "${users_with_empty_pass[@]}"
do
    passwd -l $user_with_empty_pass
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify No .forward Files Exist

Rule ID xccdf_org.ssgproject.content_rule_no_forward_files

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 6.2.15

Description

The .forward file specifies an email address to forward the user's mail to.

Rationale

Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions.

OVAL details

.forward files are not group or world accessible passed because these items were not found:

Object oval:ssg-object_accounts_users_home_forward_file_existance:obj:1 of type file_object

Path	Filename
/home/arthur	\.forward$

Verify No netrc Files Exist

Rule ID xccdf_org.ssgproject.content_rule_no_netrc_files

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, 6.2.14

Description

The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.

Rationale

Unencrypted passwords for remote FTP servers may be stored in .netrc files.

OVAL details

look for .netrc in /home passed because these items were not found:

Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object

Behaviors	Path	Filename
no value	/home	^\.netrc$

Verify Only Root Has UID 0

Rule ID

xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero

Result

pass

Time

2025-05-13T15:24:10

Severity

high

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.5, SRG-OS-000480-GPOS-00227, 6.2.10, 8.2.1

Description

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL details

test that there are no accounts with UID 0 except root in the /etc/passwd file passed because these items were not found:

Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/passwd	^(?!root:)[^:]:[^:]:0	1

Verify Root Has A Primary GID 0

Rule ID xccdf_org.ssgproject.content_rule_accounts_root_gid_zero

Result

pass

Time 2025-05-13T15:24:10

Severity high

Identifiers and References

References: Req-8.1.1, 5.5.3, 8.2.1

Description

The root user should have a primary group of 0.

Rationale

To help ensure that root-owned files are not inadvertently exposed to other users.

OVAL details

test that there are no accounts with UID 0 except root in the /etc/passwd file passed because of these items:

Path	Content
/etc/passwd	root:x:0:0:root:/root:/bin/bash

Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty

Rule ID xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 5.3.7, 2.2.6

Description

Ensure that the group sugroup referenced by var_pam_wheel_group_for_su variable and used as value for the pam_wheel.so group option exists and has no members. This empty group used by pam_wheel.so in /etc/pam.d/su ensures that no user can run commands with altered privileges through the su command.

Rationale

The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.

Warnings

warning Note that this rule just ensures the group exists and has no members. This rule does not configure pam_wheel.so module. The pam_wheel.so module configuration is accomplished by use_pam_wheel_group_for_su rule.

OVAL details

check if group in var_pam_wheel_group_for_su variable used by pam_wheel.so exists failed because these items were missing:

Object oval:ssg-object_ensure_pam_wheel_group_exists:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

sugroup

^sugroup:[^:]+:[0-9]+:.*$

/etc/group

check if group defined by pam_wheel.so group option has no members failed because these items were missing:

Object oval:ssg-object_ensure_pam_wheel_group_exists:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

sugroup

^sugroup:[^:]+:[0-9]+:.*$

/etc/group

State oval:ssg-state_ensure_pam_wheel_group_has_no_members:ste:1 of type textfilecontent54_state

Text
^[^:]+:[^:]+:[0-9]+:\s*$

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSSv4-2.2.6
  - ensure_pam_wheel_group_empty
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_pam_wheel_group_for_su # promote to variable
  set_fact:
    var_pam_wheel_group_for_su: !!str sugroup
  tags:
    - always

- name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
    - Ensure {{ var_pam_wheel_group_for_su }} Group Exists
  ansible.builtin.group:
    name: '{{ var_pam_wheel_group_for_su }}'
    state: present
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-2.2.6
  - ensure_pam_wheel_group_empty
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
    - Ensure {{ var_pam_wheel_group_for_su }} Group is Empty
  ansible.builtin.lineinfile:
    path: /etc/group
    regexp: ^({{ var_pam_wheel_group_for_su }}:[^:]+:[0-9]+:).*$
    line: \1
    backrefs: true
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-2.2.6
  - ensure_pam_wheel_group_empty
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_pam_wheel_group_for_su='sugroup'


if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then
    groupadd ${var_pam_wheel_group_for_su}
fi

# group must be empty
gpasswd -M '' ${var_pam_wheel_group_for_su}

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure Authentication Required for Single User Mode

Rule ID

xccdf_org.ssgproject.content_rule_ensure_root_password_configured

Result

error

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: 1.4.3, 2.2.2

Description

Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

Rationale

Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.

OVAL details

make sure root password is set in /etc/shadow failed because these items were missing:

Object oval:ssg-obj_root_password_etc_shadow:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^root:\$(y\|[0-9].+)\$.*$	1

Ensure that System Accounts Do Not Run a Shell Upon Login

Rule ID xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 1491, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000480-GPOS-00227, 5.5.2, 8.2.2

Description

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command:

$ sudo usermod -s /sbin/nologin account

Rationale

Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.

Warnings

warning Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.

OVAL details

SYS_UID_MIN not defined in /etc/login.defs failed because these items were missing:

Object oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/login.defs	.(?:^\|\n)\s(SYS_UID_MIN[\s]+[\d]+)\s*(?:$\|\n)	1

SYS_UID_MAX not defined in /etc/login.defs failed because these items were missing:

Object oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/login.defs	.(?:^\|\n)\s(SYS_UID_MAX[\s]+[\d]+)\s*(?:$\|\n)	1

<0, UID_MIN - 1> system UIDs having shell set failed because of these items:

Path	Content
/etc/passwd	tss:x:106:113:TPM software stack,,,:/var/lib/tpm:/bin/false
/etc/passwd	whoopsie:x:117:124::/nonexistent:/bin/false
/etc/passwd	speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
/etc/passwd	gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
/etc/passwd	hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
/etc/passwd	gdm:x:128:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
/etc/passwd	arthur:x:1000:1000:Arthur,,,:/home/arthur:/bin/bash
/etc/passwd	debian-tor:x:130:138::/var/lib/tor:/bin/false

SYS_UID_MIN not defined in /etc/login.defs failed because these items were missing:

Object oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/login.defs	.(?:^\|\n)\s(SYS_UID_MIN[\s]+[\d]+)\s*(?:$\|\n)	1

SYS_UID_MAX not defined in /etc/login.defs failed because these items were missing:

Object oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/login.defs	.(?:^\|\n)\s(SYS_UID_MAX[\s]+[\d]+)\s*(?:$\|\n)	1

<0, SYS_UID_MIN> system UIDs having shell set failed because of these items:

Path	Content
/etc/passwd	tss:x:106:113:TPM software stack,,,:/var/lib/tpm:/bin/false
/etc/passwd	whoopsie:x:117:124::/nonexistent:/bin/false
/etc/passwd	speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
/etc/passwd	gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
/etc/passwd	hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
/etc/passwd	gdm:x:128:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
/etc/passwd	arthur:x:1000:1000:Arthur,,,:/home/arthur:/bin/bash
/etc/passwd	debian-tor:x:130:138::/var/lib/tor:/bin/false

<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set failed because of these items:

Path	Content
/etc/passwd	tss:x:106:113:TPM software stack,,,:/var/lib/tpm:/bin/false
/etc/passwd	whoopsie:x:117:124::/nonexistent:/bin/false
/etc/passwd	speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
/etc/passwd	gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
/etc/passwd	hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
/etc/passwd	gdm:x:128:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
/etc/passwd	arthur:x:1000:1000:Arthur,,,:/home/arthur:/bin/bash
/etc/passwd	debian-tor:x:130:138::/var/lib/tor:/bin/false

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	restrict

- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local
    Users From /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - no_shelllogin_for_systemaccounts
  - restrict_strategy

- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Create local_users
    Variable From getent_passwd Facts
  ansible.builtin.set_fact:
    local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - no_shelllogin_for_systemaccounts
  - restrict_strategy

- name: Ensure that System Accounts Do Not Run a Shell Upon Login -  Disable Login
    Shell for System Accounts
  ansible.builtin.user:
    name: '{{ item.key }}'
    shell: /sbin/nologin
  loop: '{{ local_users }}'
  when:
  - item.key not in ['root']
  - item.value[1]|int < 1000
  - item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync']
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - no_shelllogin_for_systemaccounts
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	restrict


readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \
  && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \
  { print $1 }' /etc/passwd)

for systemaccount in "${systemaccounts[@]}"; do
    usermod -s /sbin/nologin "$systemaccount"
done

Enforce Usage of pam_wheel with Group Parameter for su Authentication

Rule ID xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su

Result

fail

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 5.3.7, 2.2.6

Description

To ensure that only users who are members of the group set in the group option of pam_wheel.so module can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:

auth required pam_wheel.so use_uid group=sugroup

Rationale

Warnings

warning Note that ensure_pam_wheel_group_empty rule complements this requirement by ensuring the referenced group exists and has no members.

OVAL details

check /etc/pam.d/su for correct setting failed because these items were missing:

Object oval:ssg-object_use_pam_wheel_group_for_su:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/su	^\sauth\s+required\s+pam_wheel\.so\s+(?=[^#]\buse_uid\b)[^#]\bgroup=([_a-z][-0-9_a-z])	1

State oval:ssg-state_use_pam_wheel_group_for_su:ste:1 of type textfilecontent54_state

Subexpression
sugroup

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - use_pam_wheel_group_for_su
- name: XCCDF Value var_pam_wheel_group_for_su # promote to variable
  set_fact:
    var_pam_wheel_group_for_su: !!str sugroup
  tags:
    - always

- name: Enforce Usage of pam_wheel with Group Parameter for su Authentication - Add
    the group to the /etc/pam.d/su file
  ansible.builtin.lineinfile:
    path: /etc/pam.d/su
    state: present
    regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$
    line: auth             required        pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su
      }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - use_pam_wheel_group_for_su

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_pam_wheel_group_for_su='sugroup'


PAM_CONF=/etc/pam.d/su

pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
if [ -z "$pamstr" ]; then
    sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line
    sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth             required        pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
else
    group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2)
    if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then
        sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF}
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure All Accounts on the System Have Unique User IDs

Rule ID

xccdf_org.ssgproject.content_rule_account_unique_id

Result

pass

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: CCI-000135, CCI-000764, CCI-000804, Req-8.1.1, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, 6.2.5, 8.2.1

Description

Change user IDs (UIDs), or delete accounts, so each has a unique name.

Rationale

To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.

Warnings

warning Automatic remediation of this control is not available due to unique requirements of each system.

OVAL details

There should not exist duplicate user ids in /etc/passwd passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_all_uids:var:1	50

Ensure All Groups on the System Have Unique Group ID

Rule ID

xccdf_org.ssgproject.content_rule_group_unique_id

Result

pass

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: CCI-000764, SRG-OS-000104-GPOS-00051, 6.2.6, 8.2.1

Description

Change the group name or delete groups, so each has a unique id.

Rationale

To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.

Warnings

warning Automatic remediation of this control is not available due to the unique requirements of each system.

OVAL details

There should not exist duplicate group ids in /etc/passwd passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_all_group_ids:var:1	79

Ensure All Groups on the System Have Unique Group Names

Rule ID

xccdf_org.ssgproject.content_rule_group_unique_name

Result

pass

Time

2025-05-13T15:24:10

Severity

medium

Identifiers and References

References: 6.2.8, 8.2.1

Description

Change the group name or delete groups, so each has a unique name.

Rationale

To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.

Warnings

warning Automatic remediation of this control is not available due to the unique requirements of each system.

OVAL details

There should not exist duplicate group names in /etc/passwd passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_all_group_names:var:1	79

Ensure that Root's Path Does Not Include World or Group-Writable Directories

Rule ID

xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write

Result

pass

Time

2025-05-13T15:24:35

Severity

medium

Identifiers and References

References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.9

Description

For each element in root's path, run:

# ls -ld DIR

and ensure that write permissions are disabled for group and other.

Rationale

Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.

OVAL details

Check if there aren't directories in root's path having write permission set for group or other passed because these items were not found:

Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type file_object

Path

Filename

Filter

/usr/local/sbin

/usr/local/bin

/usr/sbin

/usr/bin

/sbin

/bin

/usr/games

/usr/local/games

/snap/bin

no value

oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1

oval:ssg-state_accounts_root_path_dirs_symlink:ste:1

Ensure that Root's Path Does Not Include Relative Paths or Null Directories

Rule ID xccdf_org.ssgproject.content_rule_root_path_no_dot

Result

pass

Time 2025-05-13T15:24:35

Severity unknown

Identifiers and References

References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.9

Description

Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples:

PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin

These empty elements have the same effect as a single . character.

Rationale

Including these entries increases the risk that root could execute code from an untrusted location.

OVAL details

environment variable PATH starts with : or . passed because of these items:

Pid	Name	Value
75098	PATH	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

environment variable PATH doesn't contain : twice in a row passed because of these items:

Pid	Name	Value
75098	PATH	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

environment variable PATH doesn't contain . twice in a row passed because of these items:

Pid	Name	Value
75098	PATH	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

environment variable PATH ends with : or . passed because of these items:

Pid	Name	Value
75098	PATH	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

environment variable PATH starts with an absolute path / passed because of these items:

Pid	Name	Value
75098	PATH	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

environment variable PATH contains relative paths passed because of these items:

Pid	Name	Value
75098	PATH	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Ensure the Default Bash Umask is Set Correctly

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, 5.5.4, R36

Description

To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:

umask 027

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

OVAL details

Test the retrieved /etc/bash.bashrc umask value(s) match the var_accounts_user_umask requirement failed because these items were missing:

Object oval:ssg-obj_accounts_umask_etc_bashrc:obj:1 of type variable_object

Var ref
oval:ssg-var_etc_bashrc_umask_as_number:var:1

State oval:ssg-ste_accounts_umask_etc_bashrc:ste:1 of type variable_state

Value
72023027Referenced variable has no values (oval:ssg-var_etc_bashrc_umask_as_number:var:1).

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Check if umask in /etc/bash.bashrc is already set
  ansible.builtin.lineinfile:
    path: /etc/bash.bashrc
    regexp: ^[^#]*\bumask\s+\d+$
    state: absent
  check_mode: true
  changed_when: false
  register: umask_replace
  when: '"bash" in ansible_facts.packages'
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Replace user umask in /etc/bash.bashrc
  ansible.builtin.replace:
    path: /etc/bash.bashrc
    regexp: ^([^#]*\b)umask\s+\d+$
    replace: \g<1>umask {{ var_accounts_user_umask }}
  when:
  - '"bash" in ansible_facts.packages'
  - umask_replace.found > 0
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default umask is Appended Correctly
  ansible.builtin.lineinfile:
    create: true
    path: /etc/bash.bashrc
    line: umask {{ var_accounts_user_umask }}
  when:
  - '"bash" in ansible_facts.packages'
  - umask_replace.found == 0
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'bash' 2>/dev/null | grep -q installed; then

var_accounts_user_umask='027'






grep -q "^[^#]*\bumask" /etc/bash.bashrc && \
  sed -i -E -e "s/^([^#]*\bumask).*/\1 $var_accounts_user_umask/g" /etc/bash.bashrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/bash.bashrc
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure the Default Umask is Set Correctly in login.defs

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, UBTU-22-412035, 5.5.4, R36

Description

To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:

UMASK 027

Rationale

OVAL details

Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement failed because of these items:

Var ref	Value
oval:ssg-var_etc_login_defs_umask_as_number:var:1	18

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-412035
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Check if UMASK is already set
  ansible.builtin.lineinfile:
    path: /etc/login.defs
    regexp: ^(\s*)UMASK\s+.*
    state: absent
  check_mode: true
  changed_when: false
  register: result_umask_is_set
  when: '"login" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-412035
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Replace user UMASK in /etc/login.defs
  ansible.builtin.replace:
    path: /etc/login.defs
    regexp: ^(\s*)UMASK(\s+).*
    replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
  when:
  - '"login" in ansible_facts.packages'
  - result_umask_is_set.found > 0
  tags:
  - DISA-STIG-UBTU-22-412035
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default UMASK is Appended Correctly
  ansible.builtin.lineinfile:
    create: true
    path: /etc/login.defs
    line: UMASK {{ var_accounts_user_umask }}
  when:
  - '"login" in ansible_facts.packages'
  - result_umask_is_set.found == 0
  tags:
  - DISA-STIG-UBTU-22-412035
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var_accounts_user_umask='027'


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure the Default Umask is Set Correctly in /etc/profile

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile

Result

unknown

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

Description

To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:

umask 027

Note that /etc/profile also reads scrips within /etc/profile.d directory. These scripts are also valid files to set umask value. Therefore, they should also be considered during the check and properly remediated, if necessary.

Rationale

OVAL details

umask value(s) from profile configuration files match the requirement failed because of these items:

Var ref
oval:ssg-var_etc_profile_umask_as_number:var:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Locate Profile
    Configuration Files Where umask Is Defined
  ansible.builtin.find:
    paths:
    - /etc/profile.d
    patterns:
    - sh.local
    - '*.sh'
    contains: ^[\s]*umask\s+\d+
  register: result_profile_d_files
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing
    umask Value in Files From /etc/profile.d
  ansible.builtin.replace:
    path: '{{ item.path }}'
    regexp: ^(\s*)umask\s+\d+
    replace: \1umask {{ var_accounts_user_umask }}
  loop: '{{ result_profile_d_files.files }}'
  register: result_umask_replaced_profile_d
  when: result_profile_d_files.matched
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Is
    Set in /etc/profile if Not Already Set Elsewhere
  ansible.builtin.lineinfile:
    create: true
    mode: 420
    path: /etc/profile
    line: umask {{ var_accounts_user_umask }}
  when: not result_profile_d_files.matched
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Value
    For All Existing umask Definition in /etc/profile
  ansible.builtin.replace:
    path: /etc/profile
    regexp: ^(\s*)umask\s+\d+
    replace: \1umask {{ var_accounts_user_umask }}
  register: result_umask_replaced_profile
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


var_accounts_user_umask='027'


readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local')

for file in "${profile_files[@]}" /etc/profile; do
  grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file"
done

if ! grep -qrE '^[^#]*umask' /etc/profile*; then
  echo "umask $var_accounts_user_umask" >> /etc/profile
fi

Ensure the Default Umask is Set Correctly For Interactive Users

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228, 5.5.4

Description

Remove the UMASK environment variable from all interactive users initialization files.

Rationale

The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.

OVAL details

Umask must not be defined in user initialization files passed because these items were not found:

Object oval:ssg-object_accounts_umask_interactive_users:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

Filter

^(?:arthur):(?:[^:]*:){4}([^:]+):[^:]*$

/home/arthur

^\..*

^[\s]*umask\s*

oval:ssg-state_accounts_umask_interactive_users_bash_history:ste:1

Set Interactive Session Timeout

Rule ID xccdf_org.ssgproject.content_rule_accounts_tmout

Result

error

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, UBTU-22-412030, 5.5.5, R32, 8.6.1

Description

Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT setting in a file loaded by /etc/profile, e.g. /etc/profile.d/tmout.sh should read as follows:

TMOUT=900

readonly TMOUT export TMOUT

Rationale

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

OVAL details

TMOUT in /etc/bash.bashrc failed because these items were missing:

Object oval:ssg-object_etc_bashrc_tmout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/bash.bashrc	^[\s]TMOUT=([\w$]+)[\s]readonly TMOUT[\s]*export TMOUT$	1

State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state

Subexpression
900

TMOUT in /etc/profile failed because these items were missing:

Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/profile	^[\s]TMOUT=([\w$]+)[\s]readonly TMOUT[\s]*export TMOUT$	1

State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state

Subexpression
900

TMOUT in /etc/profile.d/*.sh failed because these items were missing:

Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/profile.d	^.*\.sh$	^[\s]TMOUT=([\w$]+)[\s]readonly TMOUT[\s]*export TMOUT$	1

State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state

Subexpression
900open(): '/etc/profile.d/debuginfod.sh' Permission denied.

Check that at least one TMOUT is defined failed because of these items:

Var ref
oval:ssg-variable_count_of_tmout_instances:var:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_tmout # promote to variable
  set_fact:
    var_accounts_tmout: !!str 900
  tags:
    - always

- name: Correct any occurrence of TMOUT in /etc/profile
  replace:
    path: /etc/profile
    regexp: ^[^#].*TMOUT=.*
    replace: typeset -xr TMOUT={{ var_accounts_tmout }}
  register: profile_replaced
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-412030
  - NIST-800-171-3.1.11
  - NIST-800-53-AC-12
  - NIST-800-53-AC-2(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-10
  - PCI-DSSv4-8.6.1
  - accounts_tmout
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interactive Session Timeout
  lineinfile:
    path: /etc/profile.d/tmout.sh
    create: true
    regexp: TMOUT=
    line: typeset -xr TMOUT={{ var_accounts_tmout }}
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-412030
  - NIST-800-171-3.1.11
  - NIST-800-53-AC-12
  - NIST-800-53-AC-2(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-10
  - PCI-DSSv4-8.6.1
  - accounts_tmout
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_accounts_tmout='900'


# if 0, no occurence of tmout found, if 1, occurence found
tmout_found=0

for f in /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh; do
    if grep --silent '^\s*TMOUT' $f; then
        sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" $f
        tmout_found=1
        if ! grep --silent '^\s*readonly TMOUT' $f ; then
            echo "readonly TMOUT" >> $f
        fi
        if ! grep --silent '^\s*export TMOUT' $f ; then
            echo "export TMOUT" >> $f
        fi
    fi
done

if [ $tmout_found -eq 0 ]; then
        echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh
        echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh
        echo "readonly TMOUT" >> /etc/profile.d/tmout.sh
        echo "export TMOUT" >> /etc/profile.d/tmout.sh
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

User Initialization Files Must Be Group-Owned By The Primary Group

Rule ID xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership

Result

pass

Time 2025-05-13T15:24:10

Severity medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.17, R50

Description

Change the group owner of interactive users files to the group found in

/etc/passwd

for the user. To change the group owner of a local interactive user home directory, use the following command:

$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE

This rule ensures every initialization file related to an interactive user is group-owned by an interactive user.

Rationale

Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

Warnings

warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective initialization files.

OVAL details

All user initialization files are group-owned by a local interactive user passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/home/arthur/.sudo_as_admin_successful	regular	1000	1000	0	`rw-r--r--`
/home/arthur/.ftba/.mod_meta.json	regular	1000	1000	2	`rw-rw-r--`
/home/arthur/.lesshst	regular	1000	1000	20	`rw-------`
/home/arthur/.config/.gsd-keyboard.settings-ported	regular	1000	1000	0	`rw-rw-r--`
/home/arthur/.bash_logout	regular	1000	1000	220	`rw-r--r--`
/home/arthur/.bashrc	regular	1000	1000	3863	`rw-r--r--`
/home/arthur/.wget-hsts	regular	1000	1000	296	`rw-rw-r--`
/home/arthur/.bash_history	regular	1000	1000	88012	`rw-------`
/home/arthur/.profile	regular	1000	1000	807	`rw-r--r--`
/home/arthur/.selected_editor	regular	1000	1000	66	`rw-rw-r--`
/home/arthur/john/.gitignore	regular	1000	1000	1595	`rw-rw-r--`
/home/arthur/john/.pre-commit.sh	regular	1000	1000	3836	`rwxrwxr-x`
/home/arthur/idevicerestore/.gitignore	regular	1000	1000	549	`rw-rw-r--`
/home/arthur/john/.editorconfig	regular	1000	1000	2980	`rw-rw-r--`
/home/arthur/john/.gitattributes	regular	1000	1000	982	`rw-rw-r--`
/home/arthur/john/.travis.yml	regular	1000	1000	1251	`rw-rw-r--`
/home/arthur/john/.mailmap	regular	1000	1000	2975	`rw-rw-r--`

User Initialization Files Must Not Run World-Writable Programs

Rule ID

xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs

Result

pass

Time

2025-05-13T15:24:35

Severity

medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.17

Description

Set the mode on files being executed by the user initialization files with the following command:

$ sudo chmod o-w FILE

Rationale

If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.

OVAL details

Init files do not execute world-writable programs passed because these items were not found:

Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

^[^#]*/home/arthur/Desktop/DGSE/service_3/Victim/Victim-file1\.iso

^[^#]*/home/arthur/\.ftba/bin/runtime/OpenJDK8U-jre_x64_linux_hotspot_8u312b07/jdk8u312-b07-jre/lib/amd64/server/libjsig\.so

^[^#]*/home/arthur/Desktop/DGSE/service_3/Victim/Victim\.mf

^[^#]*/tmp/results\.xml

^[^#]*/home/arthur/Desktop/DGSE/service_3/Victim/Victim-disk1\.vmdk

^[^#]*/home/arthur/\.ftba/bin/runtime/OpenJDK8U-jre_x64_linux_hotspot_8u312b07/jdk8u312-b07-jre/man/ja

^[^#]*/home/arthur/Desktop/404/\.wh\.\.git

^[^#]*/home/arthur/Desktop/DGSE/service_3/Victim/Victim\.ovf

^[^#]*/tmp/report\.html

/home/arthur/Desktop/DGSE/service_3/Victim/Victim-file1.iso

/home/arthur/.ftba/bin/runtime/OpenJDK8U-jre_x64_linux_hotspot_8u312b07/jdk8u312-b07-jre/lib/amd64/server/libjsig.so

/home/arthur/Desktop/DGSE/service_3/Victim/Victim.mf

/tmp/results.xml

/home/arthur/Desktop/DGSE/service_3/Victim/Victim-disk1.vmdk

/home/arthur/.ftba/bin/runtime/OpenJDK8U-jre_x64_linux_hotspot_8u312b07/jdk8u312-b07-jre/man/ja

/home/arthur/Desktop/404/.wh..git

/home/arthur/Desktop/DGSE/service_3/Victim/Victim.ovf

/tmp/report.html

/home/arthur

User Initialization Files Must Be Owned By the Primary User

Rule ID xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.17, R50

Description

Set the owner of the user initialization files for interactive users to the primary owner with the following command:

$ sudo chown USER /home/USER/.*

This rule ensures every initialization file related to an interactive user is owned by an interactive user.

Rationale

Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

Warnings

warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the ownership of their respective initialization files.

OVAL details

All user initialization files are owned by a local interactive user passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/home/arthur/.sudo_as_admin_successful	regular	1000	1000	0	`rw-r--r--`
/home/arthur/.ftba/.mod_meta.json	regular	1000	1000	2	`rw-rw-r--`
/home/arthur/.lesshst	regular	1000	1000	20	`rw-------`
/home/arthur/.config/.gsd-keyboard.settings-ported	regular	1000	1000	0	`rw-rw-r--`
/home/arthur/.bash_logout	regular	1000	1000	220	`rw-r--r--`
/home/arthur/.bashrc	regular	1000	1000	3863	`rw-r--r--`
/home/arthur/.wget-hsts	regular	1000	1000	296	`rw-rw-r--`
/home/arthur/.bash_history	regular	1000	1000	88012	`rw-------`
/home/arthur/.profile	regular	1000	1000	807	`rw-r--r--`
/home/arthur/.selected_editor	regular	1000	1000	66	`rw-rw-r--`
/home/arthur/john/.gitignore	regular	1000	1000	1595	`rw-rw-r--`
/home/arthur/john/.pre-commit.sh	regular	1000	1000	3836	`rwxrwxr-x`
/home/arthur/idevicerestore/.gitignore	regular	1000	1000	549	`rw-rw-r--`
/home/arthur/john/.editorconfig	regular	1000	1000	2980	`rw-rw-r--`
/home/arthur/john/.gitattributes	regular	1000	1000	982	`rw-rw-r--`
/home/arthur/john/.travis.yml	regular	1000	1000	1251	`rw-rw-r--`
/home/arthur/john/.mailmap	regular	1000	1000	2975	`rw-rw-r--`

All Interactive Users Home Directories Must Exist

Rule ID xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.11

Description

Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:

$ sudo mkdir /home/USER

Rationale

If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.

OVAL details

Check the existence of interactive users. passed because of these items:

Var ref	Value
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1	1

Check the existence of interactive users. passed because of these items:

Var ref	Value
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1	1

All Interactive User Home Directories Must Be Group-Owned By The Primary Group

Rule ID xccdf_org.ssgproject.content_rule_file_groupownership_home_directories

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.12

Description

Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:

$ sudo chgrp USER_GROUP /home/USER

This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.

Rationale

If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.

Warnings

warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective home directories.

OVAL details

All home directories are group-owned by a local interactive group passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/home/arthur/	directory	1000	1000	4096	`rwxr-x---`

All Interactive User Home Directories Must Be Owned By The Primary User

Rule ID xccdf_org.ssgproject.content_rule_file_ownership_home_directories

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.12

Description

Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command:

$ sudo chown USER /home/USER

This rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory.

Rationale

If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.

Warnings

warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the ownership of their respective home directories.

OVAL details

All home directories are owned by a local interactive user passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/home/arthur/	directory	1000	1000	4096	`rwxr-x---`

It should not exist duplicated owners of home dirs passed because of these items:

Var ref	Value
oval:ssg-var_file_ownership_home_directories_uids_count:var:1	1

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_home_directories

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.13

Description

Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:

$ sudo chmod 0750 /home/USER

Rationale

Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.

OVAL details

All home directories have proper permissions passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/home/arthur/	directory	1000	1000	4096	`rwxr-x---`

Ensure AppArmor is installed

Rule ID

xccdf_org.ssgproject.content_rule_package_apparmor_installed

Result

pass

Time

2025-05-13T15:24:35

Severity

medium

Identifiers and References

References: CCI-001764, CCI-001774, CCI-002165, CCI-002235, SRG-OS-000368-GPOS-00154, SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125, SRG-OS-000370-GPOS-00155, UBTU-22-431010, 1.6.1.1

Description

AppArmor provide Mandatory Access Controls.

Rationale

Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.

OVAL details

package apparmor is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
apparmor	amd64	0	2ubuntu2.4	3.0.4	0:3.0.4-2ubuntu2.4

All AppArmor Profiles are in enforce or complain mode

Rule ID xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode

Result

unknown

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1.6.1.3

Description

AppArmor profiles define what resources applications are able to access. To set all profiles to either enforce or complain mode run the following command to set all profiles to enforce mode:

$ sudo aa-enforce /etc/apparmor.d/*

run the following command to set all profiles to complain mode:

$ sudo aa-complain /etc/apparmor.d/*

To list unconfined processes run the following command:

$ sudo apparmor_status | grep processes

Any unconfined processes may need to have a profile created or activated for them and then be restarted.

Rationale

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

OVAL details

Compare number of profiles with sum of complain and enforced failed because of these items:

Var ref
oval:ssg-all_apparmor_profiles_in_enforce_complain_mode_var_num_apparmor_profiles:var:1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'apparmor' 2>/dev/null | grep -q installed; }; then

var_apparmor_mode='complain'


# make sure apparmor-utils is installed for aa-complain and aa-enforce
DEBIAN_FRONTEND=noninteractive apt-get install -y "apparmor-utils"

# Reload all AppArmor profiles
apparmor_parser -q -r /etc/apparmor.d/

# Set the mode
APPARMOR_MODE="$var_apparmor_mode"

if [ "$APPARMOR_MODE" = "enforce" ]
then
  # Set all profiles to enforce mode
  aa-enforce /etc/apparmor.d/*
fi

if [ "$APPARMOR_MODE" = "complain" ]
then
  # Set all profiles to complain mode
  aa-complain /etc/apparmor.d/*
fi


UNCONFINED=$(aa-status | grep "processes are unconfined" | awk '{print $1;}')
if [ $UNCONFINED -ne 0 ];

then
  echo -e "***WARNING***: There are some unconfined processes:"
  echo -e "----------------------------"
  echo "The may need to have a profile created or activated for them and then be restarted."
  for PROCESS in "${UNCONFINED[@]}"
  do
      echo "$PROCESS"
  done
  echo -e "----------------------------"
  echo "The may need to have a profile created or activated for them and then be restarted."
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure AppArmor is enabled in the bootloader configuration

Rule ID xccdf_org.ssgproject.content_rule_grub2_enable_apparmor

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1.6.1.2

Description

Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, enact equivalent settings.

Rationale

AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

OVAL details

apparmor is enabled in bootloader failed because these items were missing:

Object oval:ssg-obj_apparmor_enabled_in_grubcfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub/grub.cfg	^\slinux\b.(?!/boot/memtest86\+\.bin).\bapparmor=1\b.$	1

security=apparmor is set in bootloader failed because these items were missing:

Object oval:ssg-obj_apparmor_set_in_grubcfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub/grub.cfg	^\slinux\b.(?!/boot/memtest86\+\.bin).\bsecurity=apparmor\b.$	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*apparmor=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an apparmor= arg already exists
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)apparmor=[^[:space:]]\+\(.*\"\)/\1apparmor=1\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no apparmor=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 apparmor=1\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"apparmor=1\"" >> '/etc/default/grub'
fi
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*security=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an security= arg already exists
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)security=[^[:space:]]\+\(.*\"\)/\1security=apparmor\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no security=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 security=apparmor\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"security=apparmor\"" >> '/etc/default/grub'
fi


update-grub

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify /boot/grub/grub.cfg User Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, SRG-OS-000480-GPOS-00227, 1.4.2, R29, 2.2.6
Description	The file `/boot/grub/grub.cfg` should be owned by the `root` user to prevent destruction or modification of the file. To properly set the owner of `/boot/grub/grub.cfg`, run the command: $ sudo chown root /boot/grub/grub.cfg
Rationale	Only root should be able to modify important boot parameters.

Verify /boot/grub/grub.cfg Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 1.4.2, R29, 2.2.6
Description	File permissions for `/boot/grub/grub.cfg` should be set to 600. To properly set the permissions of `/boot/grub/grub.cfg`, run the command: $ sudo chmod 600 /boot/grub/grub.cfg
Rationale	Proper permissions ensure that only the root user can modify important boot parameters.

Set Boot Loader Password in grub2

Rule ID	xccdf_org.ssgproject.content_rule_grub2_password
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	high
Identifiers and References	References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, UBTU-22-212010, 1.4.1, R5
Description	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. Using the hash from the output, modify the `/etc/grub.d/40_custom` file with the following content: set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the `grub.cfg` file by running: update-grub
Rationale	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings	warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the `grub.cfg` file as the grub2-mkconfig command overwrites this file.

Set the UEFI Boot Loader Password

Rule ID xccdf_org.ssgproject.content_rule_grub2_uefi_password

Result

fail

Time 2025-05-13T15:24:35

Severity high

Identifiers and References

References: 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, UBTU-22-212010, 1.4.1, R5

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:

# grub2-mkpasswd-pbkdf2

When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:

set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString

NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the grub.cfg file by running:

update-grub

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Warnings

warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

OVAL details

make sure a password is defined in /boot/grub/grub.cfg failed because these items were missing:

Object oval:ssg-object_grub2_uefi_password_grubcfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub/grub.cfg	^[\s]password_pbkdf2[\s]+.[\s]+grub\.pbkdf2\.sha512.*$	1

superuser is defined in /boot/grub/grub.cfg failed because these items were missing:

Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub/grub.cfg	^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$	1

Install systemd-journal-remote Package

Rule ID xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 4.2.1.1.1

Description

Journald (via systemd-journal-remote ) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.

Rationale

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

OVAL details

package systemd-journal-remote is installed failed because these items were missing:

Object oval:ssg-obj_test_package_systemd-journal-remote_installed:obj:1 of type dpkginfo_object

Name
systemd-journal-remote

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Ensure systemd-journal-remote is installed
  package:
    name: systemd-journal-remote
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_systemd-journal-remote_installed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include install_systemd-journal-remote

class install_systemd-journal-remote {
  package { 'systemd-journal-remote':
    ensure => 'installed',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "systemd-journal-remote"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation script: (show)


[[packages]]
name = "systemd-journal-remote"
version = "*"

Enable systemd-journald Service

Rule ID xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-001665, SC-24, SRG-OS-000269-GPOS-00103, 4.2.1.2

Description

The systemd-journald service is an essential component of systemd. The systemd-journald service can be enabled with the following command:

$ sudo systemctl enable systemd-journald.service

Rationale

In the event of a system failure, Ubuntu 22.04 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.

OVAL details

package systemd is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
systemd	amd64	0	0ubuntu3.15	249.11	0:249.11-0ubuntu3.15

Test that the systemd-journald service is running passed because of these items:

Unit	Property	Value
systemd-journald.service	ActiveState	active
systemd-journald.socket	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

Ensure journald is configured to compress large log files

Rule ID xccdf_org.ssgproject.content_rule_journald_compress

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 4.2.1.3

Description

The journald system can compress large log files to avoid fill the system disk.

Rationale

Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.

OVAL details

tests the value of Compress setting in the /etc/systemd/journald.conf file failed because these items were missing:

Object oval:ssg-obj_journald_compress:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/journald.conf	^[ \t]Compress=(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_journald_compress:ste:1 of type textfilecontent54_state

Subexpression
^yes$

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Setting unquoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf'
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Compress=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Compress=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Compress=
      line: Compress=yes
      state: present
      insertbefore: ^# Compress
      validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf"
else
    touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s*Compress'.
line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Compress', insert at
    # the end of the file.
    printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf"
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure journald is configured to write log files to persistent disk

Rule ID xccdf_org.ssgproject.content_rule_journald_storage

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 4.2.1.4

Description

The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upon reboot.

Rationale

Log files contain valuable data and need to be persistent to aid in possible investigations.

OVAL details

tests the value of Storage setting in the /etc/systemd/journald.conf file failed because these items were missing:

Object oval:ssg-obj_journald_storage:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/journald.conf	^[ \t]Storage=(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_journald_storage:ste:1 of type textfilecontent54_state

Subexpression
^persistent$

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Setting unquoted shell-style assignment of 'Storage' to 'persistent' in '/etc/systemd/journald.conf'
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Storage=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Storage=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Storage=
      line: Storage=persistent
      state: present
      insertbefore: ^# Storage
      validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - journald_storage
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf"
else
    touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s*Storage'.
line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Storage', insert at
    # the end of the file.
    printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf"
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable systemd-journal-remote Socket

Rule ID

xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled

Result

pass

Time

2025-05-13T15:24:35

Severity

medium

Identifiers and References

References: 4.2.1.1.4

Description

Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two Systemd unit files; systemd-journal-remote.socket and systemd-journal-remote.service.

Rationale

If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary.

OVAL details

Test that the property LoadState from the systemd-journal-remote.socket is masked passed because these items were not found:

Object oval:ssg-obj_socket_loadstate_is_masked_systemd-journal-remote:obj:1 of type systemdunitproperty_object

Unit	Property
^systemd-journal-remote.socket$	LoadState

State oval:ssg-state_socket_loadstate_is_masked_systemd-journal-remote:ste:1 of type systemdunitproperty_state

Value
masked

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_nolisten

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, MEA02.01, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.2.3.4, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.8, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 4.2.2.7

Description

The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure any of the following lines are not found in rsyslog configuration files. If using legacy syntax:

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

If using RainerScript syntax:

module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

Rationale

Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

OVAL details

rsyslog configuration files don't contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp passed because these items were not found:

Object oval:ssg-object_rsyslog_nolisten_legacy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\/etc\/rsyslog(\.conf\|\.d\/.*\.conf)$	^[\s]*\$((?:Input(?:TCP\|RELP)\|UDP)ServerRun\|ModLoad[\s]+(imtcp\|imudp\|imrelp))	1

rsyslog configuration files don't use imtcp or imudp modules passed because these items were not found:

Object oval:ssg-object_rsyslog_nolisten_rainerscript:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\/etc\/rsyslog(\.conf\|\.d\/.*\.conf)$	^\s(?:module\|input)\((?:load\|type)="(imtcp\|imudp)".$	1

Ensure Logs Sent To Remote Host

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, 4.2.2.6, R71

Description

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting logcollector appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @logcollector

To use TCP for log message delivery:

*.* @@logcollector

To use RELP for log message delivery:

*.* :omrelp:logcollector

There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility.

Rationale

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Warnings

warning It is important to configure queues in case the client is sending log messages to a remote server. If queues are not configured, the system will stop functioning when the connection to the remote server is not available. Please consult Rsyslog documentation for more information about configuration of queues. The example configuration which should go into /etc/rsyslog.conf can look like the following lines:

$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1

OVAL details

Ensures system configured to export logs to remote host failed because these items were missing:

Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/rsyslog.conf	^\\.\[\s]+(?:@\|\:omrelp\:)	1

Ensures system configured to export logs to remote host failed because these items were missing:

Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/rsyslog.d	^.+\.conf$	^\\.\[\s]+(?:@\|\:omrelp\:)	1

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

rsyslog_remote_loghost_address='logcollector'


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^\*\.\*")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "@@$rsyslog_remote_loghost_address"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^\*\.\*\\>" "/etc/rsyslog.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^\*\.\*\\>.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
else
    if [[ -s "/etc/rsyslog.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/rsyslog.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/rsyslog.conf"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/rsyslog.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure rsyslog is Installed

Rule ID xccdf_org.ssgproject.content_rule_package_rsyslog_installed

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.2.1

Description

Rsyslog is installed by default. The rsyslog package can be installed with the following command:

 $ apt-get install rsyslog

Rationale

The rsyslog package provides the rsyslog daemon, which provides system logging services.

OVAL details

package rsyslog is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
rsyslog	amd64	0	2ubuntu2.2	8.2112.0	0:8.2112.0-2ubuntu2.2

Enable rsyslog Service

Rule ID xccdf_org.ssgproject.content_rule_service_rsyslog_enabled

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, UBTU-22-652010, 4.2.2.2

Description

The rsyslog service provides syslog-style logging by default on Ubuntu 22.04. The rsyslog service can be enabled with the following command:

$ sudo systemctl enable rsyslog.service

Rationale

The rsyslog service must be running in order to provide logging services, which are essential to system administration.

OVAL details

package rsyslog is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
rsyslog	amd64	0	2ubuntu2.2	8.2112.0	0:8.2112.0-2ubuntu2.2

Test that the rsyslog service is running passed because of these items:

Unit	Property	Value
rsyslog.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

Ensure rsyslog Default File Permissions Configured

Rule ID

xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode

Result

pass

Time

2025-05-13T15:24:35

Severity

medium

Identifiers and References

References: 4.2.2.4

Description

rsyslog will create logfiles that do not already exist on the system. This settings controls what permissions will be applied to these newly created files.

Rationale

It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.

OVAL details

rsyslog FileCreateMode is configured in only one place passed because of these items:

Path	Content
/etc/rsyslog.conf	$FileCreateMode 0640

Test if FileCreateMode value is valid passed because of these items:

Var ref	Value
oval:ssg-var_filecreatemode_dec:var:1	416

Set Default ip6tables Policy for Incoming Packets

Rule ID	xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, PR.PT-3, 3.5.3.3.1, 1.4.1
Description	To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in `/etc/sysconfig/ip6tables`: :INPUT DROP [0:0] If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload
Rationale	In `ip6tables`, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to `DROP` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

Set configuration for IPv6 loopback traffic

Rule ID	xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: Req-1.3, 3.5.3.3.2, 1.4.1
Description	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
Rationale	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.

Set configuration for loopback traffic

Rule ID	xccdf_org.ssgproject.content_rule_set_loopback_traffic
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: Req-1.3, 3.5.3.2.2, 1.4.1
Description	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
Rationale	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.

Ensure ip6tables Firewall Rules Exist for All Open Ports

Rule ID	xccdf_org.ssgproject.content_rule_ip6tables_rules_for_open_ports
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.3.3.4
Description	Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Rationale	Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.

Ensure iptables Firewall Rules Exist for All Open Ports

Rule ID	xccdf_org.ssgproject.content_rule_iptables_rules_for_open_ports
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.3.2.4
Description	Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Rationale	Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.

Set Default iptables Policy for Incoming Packets

Rule ID	xccdf_org.ssgproject.content_rule_set_iptables_default_rule
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CA-3(5), CM-7(b), SC-7(23), CM-6(a), PR.IP-1, PR.PT-3, 3.5.3.2.1
Description	To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in `/etc/sysconfig/iptables`: :INPUT DROP [0:0]
Rationale	In `iptables` the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to `DROP` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

Install iptables Package

Rule ID	xccdf_org.ssgproject.content_rule_package_iptables_installed
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: CM-6(a), Req-1.4.1, SRG-OS-000480-GPOS-00227, 3.5.3.1.1
Description	The `iptables` package can be installed with the following command: $ apt-get install iptables
Rationale	`iptables` controls the Linux kernel network packet filtering code. `iptables` allows system operators to set up firewalls and IP masquerading, etc.

Remove iptables-persistent Package

Rule ID xccdf_org.ssgproject.content_rule_package_iptables-persistent_removed

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 3.5.1.2

Description

The iptables-persistent package can be removed with the following command:

$ apt-get remove iptables-persistent

Rationale

Running both ufw and the services included in the iptables-persistent package may lead to conflict.

OVAL details

package iptables-persistent is removed passed because these items were not found:

Object oval:ssg-obj_test_package_iptables-persistent_removed:obj:1 of type dpkginfo_object

Name
iptables-persistent

Configure Accepting Router Advertisements on All IPv6 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.9

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.all.accept_ra.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_ra

- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.all.accept_ra
    replace: '#net.ipv6.conf.all.accept_ra'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_ra
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_all_accept_ra_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set
  sysctl:
    name: net.ipv6.conf.all.accept_ra
    value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_ra

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_all_accept_ra_value='0'


#
# Set runtime for net.ipv6.conf.all.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value"

#
# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.2, R13

Description

To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.all.accept_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_redirects

- name: Comment out any occurrences of net.ipv6.conf.all.accept_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
    replace: '#net.ipv6.conf.all.accept_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_redirects
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_all_accept_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set
  sysctl:
    name: net.ipv6.conf.all.accept_redirects
    value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_all_accept_redirects_value='0'


#
# Set runtime for net.ipv6.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value"

#
# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.1, R13

Description

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.all.accept_source_route.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_source_route

- name: Comment out any occurrences of net.ipv6.conf.all.accept_source_route from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
    replace: '#net.ipv6.conf.all.accept_source_route'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_source_route
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_all_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set
  sysctl:
    name: net.ipv6.conf.all.accept_source_route
    value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_accept_source_route

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_all_accept_source_route_value='0'


#
# Set runtime for net.ipv6.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"

#
# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for IPv6 Forwarding

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.2.2

Description

To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.forwarding = 0

Rationale

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.all.forwarding.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_forwarding

- name: Comment out any occurrences of net.ipv6.conf.all.forwarding from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.all.forwarding
    replace: '#net.ipv6.conf.all.forwarding'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_forwarding
- name: XCCDF Value sysctl_net_ipv6_conf_all_forwarding_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_all_forwarding_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.all.forwarding is set
  sysctl:
    name: net.ipv6.conf.all.forwarding
    value: '{{ sysctl_net_ipv6_conf_all_forwarding_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_all_forwarding

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_all_forwarding_value='0'


#
# Set runtime for net.ipv6.conf.all.forwarding
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value"

#
# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.default.accept_ra.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_ra

- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.default.accept_ra
    replace: '#net.ipv6.conf.default.accept_ra'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_ra
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_default_accept_ra_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set
  sysctl:
    name: net.ipv6.conf.default.accept_ra
    value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_ra

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_default_accept_ra_value='0'


#
# Set runtime for net.ipv6.conf.default.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value"

#
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.2, R13

Description

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.default.accept_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_redirects

- name: Comment out any occurrences of net.ipv6.conf.default.accept_redirects from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.default.accept_redirects
    replace: '#net.ipv6.conf.default.accept_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_redirects
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_default_accept_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set
  sysctl:
    name: net.ipv6.conf.default.accept_redirects
    value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_default_accept_redirects_value='0'


#
# Set runtime for net.ipv6.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value"

#
# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.1, R13, 1.4.2

Description

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv6.conf.default.accept_source_route.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_source_route

- name: Comment out any occurrences of net.ipv6.conf.default.accept_source_route from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv6.conf.default.accept_source_route
    replace: '#net.ipv6.conf.default.accept_source_route'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_source_route
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_default_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set
  sysctl:
    name: net.ipv6.conf.default.accept_source_route
    value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv6_conf_default_accept_source_route

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv6_conf_default_accept_source_route_value='0'


#
# Set runtime for net.ipv6.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"

#
# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.2, R12

Description

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.accept_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.accept_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_redirects

- name: Comment out any occurrences of net.ipv4.conf.all.accept_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
    replace: '#net.ipv4.conf.all.accept_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_accept_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set
  sysctl:
    name: net.ipv4.conf.all.accept_redirects
    value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_all_accept_redirects_value='0'


#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"

#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.1, R12

Description

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.accept_source_route.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_source_route

- name: Comment out any occurrences of net.ipv4.conf.all.accept_source_route from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
    replace: '#net.ipv4.conf.all.accept_source_route'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_source_route
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set
  sysctl:
    name: net.ipv4.conf.all.accept_source_route
    value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_source_route

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_all_accept_source_route_value='0'


#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"

#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians

Result

fail

Time 2025-05-13T15:24:35

Severity unknown

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4

Description

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.log_martians.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_all_log_martians
  - unknown_severity

- name: Comment out any occurrences of net.ipv4.conf.all.log_martians from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.log_martians
    replace: '#net.ipv4.conf.all.log_martians'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_all_log_martians
  - unknown_severity
- name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_log_martians_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.log_martians is set
  sysctl:
    name: net.ipv4.conf.all.log_martians
    value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_all_log_martians
  - unknown_severity

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_all_log_martians_value='1'


#
# Set runtime for net.ipv4.conf.all.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value"

#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.7, R12, 1.4.3

Description

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.rp_filter.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_rp_filter

- name: Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.rp_filter
    replace: '#net.ipv4.conf.all.rp_filter'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_rp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_rp_filter_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set
  sysctl:
    name: net.ipv4.conf.all.rp_filter
    value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_rp_filter

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_all_rp_filter_value='1'


#
# Set runtime for net.ipv4.conf.all.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"

#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.3, R12, 1.4.3

Description

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.secure_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_secure_redirects

- name: Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
    replace: '#net.ipv4.conf.all.secure_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_secure_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_secure_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set
  sysctl:
    name: net.ipv4.conf.all.secure_redirects
    value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_secure_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_all_secure_redirects_value='0'


#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value"

#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.2, R12, 1.4.3

Description

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_redirects = 0

Rationale

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.accept_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.accept_redirects from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
    replace: '#net.ipv4.conf.default.accept_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_accept_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set
  sysctl:
    name: net.ipv4.conf.default.accept_redirects
    value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_default_accept_redirects_value='0'


#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"

#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result	pass
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.1, R12
Description	To set the runtime status of the `net.ipv4.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians

Result

fail

Time 2025-05-13T15:24:35

Severity unknown

Identifiers and References

Description

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.log_martians = 1

Rationale

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.log_martians.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_default_log_martians
  - unknown_severity

- name: Comment out any occurrences of net.ipv4.conf.default.log_martians from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.log_martians
    replace: '#net.ipv4.conf.default.log_martians'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_default_log_martians
  - unknown_severity
- name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_log_martians_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.log_martians is set
  sysctl:
    name: net.ipv4.conf.default.log_martians
    value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_default_log_martians
  - unknown_severity

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_default_log_martians_value='1'


#
# Set runtime for net.ipv4.conf.default.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value"

#
# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.7, R12

Description

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.rp_filter = 1

Rationale

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.rp_filter.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_rp_filter

- name: Comment out any occurrences of net.ipv4.conf.default.rp_filter from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.rp_filter
    replace: '#net.ipv4.conf.default.rp_filter'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_rp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_rp_filter_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set
  sysctl:
    name: net.ipv4.conf.default.rp_filter
    value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_rp_filter

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_default_rp_filter_value='1'


#
# Set runtime for net.ipv4.conf.default.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value"

#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Kernel Parameter for Accepting Secure Redirects By Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.3, R12

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.secure_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_secure_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.secure_redirects from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
    replace: '#net.ipv4.conf.default.secure_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_secure_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_secure_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set
  sysctl:
    name: net.ipv4.conf.default.secure_redirects
    value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_secure_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_conf_default_secure_redirects_value='0'


#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value"

#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.5, 1.4.2

Description

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_icmp_echo_ignore_broadcasts

- name: Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts
    replace: '#net.ipv4.icmp_echo_ignore_broadcasts'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable
  set_fact:
    sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
  sysctl:
    name: net.ipv4.icmp_echo_ignore_broadcasts
    value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='1'


#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses

Result

fail

Time 2025-05-13T15:24:35

Severity unknown

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.6, R12, 1.4.2

Description

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
  - unknown_severity

- name: Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses
    from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
    replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
  - unknown_severity
- name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable
  set_fact:
    sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
  sysctl:
    name: net.ipv4.icmp_ignore_bogus_error_responses
    value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - PCI-DSSv4-1.4.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
  - unknown_severity

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='1'


#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"

#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001095, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.1, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071, UBTU-22-253010, 3.3.8, R12, 1.4.3

Description

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.tcp_syncookies=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.tcp_syncookies = 1

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.tcp_syncookies.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - DISA-STIG-UBTU-22-253010
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(1)
  - NIST-800-53-SC-5(2)
  - NIST-800-53-SC-5(3)(a)
  - PCI-DSS-Req-1.4.1
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_tcp_syncookies

- name: Comment out any occurrences of net.ipv4.tcp_syncookies from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.tcp_syncookies
    replace: '#net.ipv4.tcp_syncookies'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - DISA-STIG-UBTU-22-253010
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(1)
  - NIST-800-53-SC-5(2)
  - NIST-800-53-SC-5(3)(a)
  - PCI-DSS-Req-1.4.1
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_tcp_syncookies
- name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable
  set_fact:
    sysctl_net_ipv4_tcp_syncookies_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.tcp_syncookies is set
  sysctl:
    name: net.ipv4.tcp_syncookies
    value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - DISA-STIG-UBTU-22-253010
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(1)
  - NIST-800-53-SC-5(2)
  - NIST-800-53-SC-5(3)(a)
  - PCI-DSS-Req-1.4.1
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_tcp_syncookies

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.tcp_syncookies" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"

sysctl_net_ipv4_tcp_syncookies_value='1'


#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value"

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.2.1, R12, 1.4.5

Description

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.send_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.send_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSSv4-1.4.5
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_send_redirects

- name: Comment out any occurrences of net.ipv4.conf.all.send_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.send_redirects
    replace: '#net.ipv4.conf.all.send_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSSv4-1.4.5
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_send_redirects

- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
  sysctl:
    name: net.ipv4.conf.all.send_redirects
    value: '0'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSSv4-1.4.5
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_send_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"


#
# Set runtime for net.ipv4.conf.all.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"

#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.2.1, R12, 1.4.5

Description

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.send_redirects = 0

Rationale

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.send_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSSv4-1.4.5
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_send_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.send_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.send_redirects
    replace: '#net.ipv4.conf.default.send_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSSv4-1.4.5
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_send_redirects

- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
  sysctl:
    name: net.ipv4.conf.default.send_redirects
    value: '0'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSSv4-1.4.5
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_send_redirects

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"


#
# Set runtime for net.ipv4.conf.default.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"

#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.1, Req-1.3.2, SRG-OS-000480-GPOS-00227, 3.2.2, R12, 1.4.3

Description

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.ip_forward=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.ip_forward = 0

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Warnings

warning Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.ip_forward.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_ip_forward

- name: Comment out any occurrences of net.ipv4.ip_forward from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.ip_forward
    replace: '#net.ipv4.ip_forward'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_ip_forward

- name: Ensure sysctl net.ipv4.ip_forward is set to 0
  sysctl:
    name: net.ipv4.ip_forward
    value: '0'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - PCI-DSSv4-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_ip_forward

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.ip_forward" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"


#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward="0"

#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Install nftables Package

Rule ID	xccdf_org.ssgproject.content_rule_package_nftables_installed
Result	notapplicable
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.2.1, 1.2.1
Description	nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. The `nftables` package can be installed with the following command: $ apt-get install nftables
Rationale	`nftables` is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host.

Verify nftables Service is Enabled

Rule ID xccdf_org.ssgproject.content_rule_service_nftables_enabled

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 3.5.2.9

Description

The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service The nftables service can be enabled with the following command:

$ sudo systemctl enable nftables.service

Rationale

The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service

OVAL details

package nftables is installed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
nftables	amd64	0	1ubuntu3	1.0.2	0:1.0.2-1ubuntu3

Test that the nftables service is running failed because these items were missing:

Object oval:ssg-obj_service_running_nftables:obj:1 of type systemdunitproperty_object

Unit	Property
^nftables\.(socket\|service)$	ActiveState

State oval:ssg-state_service_running_nftables:ste:1 of type systemdunitproperty_state

Value
active

systemd test failed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

systemd test failed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_nftables_enabled

- name: Enable service nftables
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable service nftables
    systemd:
      name: nftables
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"nftables" in ansible_facts.packages'
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
    "container"] and "nftables" in ansible_facts.packages )
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_nftables_enabled

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include enable_nftables

class enable_nftables {
  service {'nftables':
    enable => true,
    ensure => 'running',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed ); then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'nftables.service'
"$SYSTEMCTL_EXEC" start 'nftables.service'
"$SYSTEMCTL_EXEC" enable 'nftables.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation script: (show)


[customizations.services]
enabled = ["nftables"]

Ensure nftables Default Deny Firewall Policy

Rule ID	xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.2.8, 1.3.1
Description	Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack.
Rationale	It is easier to allow acceptable usage than to block unacceptable usage.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.
Evaluation messages info No candidate or applicable check found.

Ensure nftables Rules are Permanent

Rule ID xccdf_org.ssgproject.content_rule_nftables_rules_permanent

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 3.5.2.10

Description

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered.

Rationale

Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot

OVAL details

Check the existence of /etc/nftables.conf file failed because these items were missing:

Object oval:ssg-object_etc_nftables_conf_file:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/nftables.conf	^[\s]*include[\s]+\"([^\s]+)"$	1

Check if file in include entry exists in system failed because these items were missing:

Object oval:ssg-object_etc_nftables_conf_include_file_exists:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/nftables.confReferenced variable has no values (oval:ssg-var_include_entry_config_path:var:1).	^.*$	1

Remediation Shell script: (show)

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if ( dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed ); then

var_nftables_master_config_file='/etc/nftables.conf'


var_nftables_family='inet'


if [ ! -f "${var_nftables_master_config_file}" ]; then
    touch "${var_nftables_master_config_file}"
fi

nft list ruleset > "/etc/${var_nftables_family}-filter.rules"

grep -qxF 'include "/etc/'"${var_nftables_family}"'-filter.rules"' "${var_nftables_master_config_file}" \
    || echo 'include "/etc/'"${var_nftables_family}"'-filter.rules"' >> "${var_nftables_master_config_file}"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure Base Chains Exist for Nftables

Rule ID	xccdf_org.ssgproject.content_rule_set_nftables_base_chain
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.2.5
Description	Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.
Rationale	If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.
Warnings	warning Configuring rules over ssh, by creating a base chain with policy drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base cahin's policy to drop
Evaluation messages info No candidate or applicable check found.

Set nftables Configuration for Loopback Traffic

Rule ID	xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: Req-1.4.1, 3.5.2.6
Description	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
Rationale	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system. Keep in mind the remediation makes changes only to the running system, in order to keep the changes need to take care to save the nft settings to the relvant configutation files.
Evaluation messages info No candidate or applicable check found.

Ensure a Table Exists for Nftables

Rule ID	xccdf_org.ssgproject.content_rule_set_nftables_table
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.2.4
Description	Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.
Rationale	Nftables doesn't have any default tables. Without a table being built, nftables will not filter network traffic. Note: adding rules to a running nftables can cause loss of connectivity to the system.
Warnings	warning Adding rules to a running nftables can cause loss of connectivity to the system.
Evaluation messages info No candidate or applicable check found.

Remove ufw Package

Rule ID xccdf_org.ssgproject.content_rule_package_ufw_removed

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 3.5.3.1.3

Description

The ufw package can be removed with the following command:

$ apt-get remove ufw

Rationale

Running iptables.persistent with ufw enabled may lead to conflict and unexpected results.

OVAL details

package ufw is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
ufw	all	0	4ubuntu0.1	0.36.1	0:0.36.1-4ubuntu0.1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure ufw is removed
  package:
    name: ufw
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_ufw_removed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_ufw

class remove_ufw {
  package { 'ufw':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# CAUTION: This remediation script will remove ufw
#	   from the system, and may remove any packages
#	   that depend on ufw. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "ufw"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify ufw Enabled

Rule ID xccdf_org.ssgproject.content_rule_service_ufw_enabled

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-002314, SRG-OS-000297-GPOS-00115, UBTU-22-251015, 3.5.1.3

Description

The ufw service can be enabled with the following command:

$ sudo systemctl enable ufw.service

Rationale

The ufw service must be enabled and running in order for ufw to protect the system

OVAL details

package ufw is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
ufw	all	0	4ubuntu0.1	0.36.1	0:0.36.1-4ubuntu0.1

Test that the ufw service is running passed because of these items:

Unit	Property	Value
ufw.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

Ensure ufw Default Deny Firewall Policy

Rule ID	xccdf_org.ssgproject.content_rule_set_ufw_default_rule
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.1.7
Description	A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked.
Rationale	With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to allow acceptable usage than to block unacceptable usage.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.
Evaluation messages info No candidate or applicable check found.

Set UFW Loopback Traffic

Rule ID	xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.1.4
Description	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
Rationale	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.
Evaluation messages info No candidate or applicable check found.

Ensure ufw Firewall Rules Exist for All Open Ports

Rule ID	xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports
Result	notchecked
Time	2025-05-13T15:24:35
Severity	medium
Identifiers and References	References: 3.5.1.6
Description	Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Rationale	Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.
Warnings	warning Changing firewall settings while connected over network can result in being locked out of the system.
Evaluation messages info No candidate or applicable check found.

Deactivate Wireless Network Interfaces

Rule ID xccdf_org.ssgproject.content_rule_wireless_disable_interfaces

Result

fail

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, UBTU-22-291015, 3.1.2, 1.3.3

Description

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Verify that there are no wireless interfaces configured on the system with the following command:

$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a

Rationale

The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

OVAL details

query /proc/net/wireless failed because of these items:

Path	Content
/proc/net/wireless	wlo1:

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	unknown

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-291015
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: Service facts
  ansible.builtin.service_facts: null
  tags:
  - DISA-STIG-UBTU-22-291015
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: Ensure NetworkManager is installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - NetworkManager
  tags:
  - DISA-STIG-UBTU-22-291015
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: NetworkManager Deactivate Wireless Network Interfaces
  command: nmcli radio wifi off
  when:
  - '''NetworkManager'' in ansible_facts.packages'
  - ansible_facts.services['NetworkManager.service'].state == 'running'
  tags:
  - DISA-STIG-UBTU-22-291015
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

Remediation Shell script: (show)


if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
    interfaces=$(find /sys/class/net/*/wireless -type d -name wireless | xargs -0 dirname | xargs basename)

    for i in $interfaces; do
        ip link set dev "$i" down
        drivers=$(basename "$(readlink -f /sys/class/net/"$i"/device/driver)")
        echo "install $drivers /bin/false" >> /etc/modprobe.d/disable_wireless.conf
        modprobe -r "$drivers"
     done
fi

Verify Group Who Owns Backup group File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7, SRG-OS-000480-GPOS-00227, 6.1.4, 2.2.6

Description

To properly set the group owner of /etc/group-, run the command:

$ sudo chgrp root /etc/group-

Rationale

The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing group ownership of /etc/group- passed because these items were not found:

Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group-	oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1	oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1

Verify Group Who Owns Backup gshadow File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7, SRG-OS-000480-GPOS-00227, 6.1.8

Description

To properly set the group owner of /etc/gshadow-, run the command:

$ sudo chgrp shadow /etc/gshadow-

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/gshadow- passed because these items were not found:

Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow-	oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_42:ste:1	oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_42_0:ste:1

Verify Group Who Owns Backup passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7, SRG-OS-000480-GPOS-00227, 6.1.2, 2.2.6

Description

To properly set the group owner of /etc/passwd-, run the command:

$ sudo chgrp root /etc/passwd-

Rationale

The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/passwd- passed because these items were not found:

Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd-	oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1	oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1

Verify User Who Owns Backup shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: Req-8.7, SRG-OS-000480-GPOS-00227, 6.1.6, 2.2.6

Description

To properly set the group owner of /etc/shadow-, run the command:

$ sudo chgrp shadow /etc/shadow-

Rationale

The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/shadow- passed because these items were not found:

Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow-	oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_42:ste:1	oval:ssg-state_file_groupowner_backup_etc_shadow_gid_42_0:ste:1

Verify Group Who Owns group File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_group

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3, R50, 2.2.6

Description

To properly set the group owner of /etc/group, run the command:

$ sudo chgrp root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing group ownership of /etc/group passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group	oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1

Verify Group Who Owns gshadow File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.7, R50

Description

To properly set the group owner of /etc/gshadow, run the command:

$ sudo chgrp shadow /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/gshadow passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow	oval:ssg-symlink_file_groupowner_etc_gshadow_uid_42:ste:1	oval:ssg-state_file_groupowner_etc_gshadow_gid_42_0:ste:1

Verify Group Who Owns passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the group owner of /etc/passwd, run the command:

$ sudo chgrp root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/passwd passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd	oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1

Verify Group Who Owns shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the group owner of /etc/shadow, run the command:

$ sudo chgrp shadow /etc/shadow

Rationale

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/shadow passed because these items were not found:

Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow	oval:ssg-symlink_file_groupowner_etc_shadow_uid_42:ste:1	oval:ssg-state_file_groupowner_etc_shadow_gid_42_0:ste:1

Verify User Who Owns Backup group File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4, 2.2.6

Description

To properly set the owner of /etc/group-, run the command:

$ sudo chown root /etc/group-

Rationale

OVAL details

Testing user ownership of /etc/group- passed because these items were not found:

Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group-	oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1

Verify User Who Owns Backup gshadow File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7, SRG-OS-000480-GPOS-00227, 6.1.8

Description

To properly set the owner of /etc/gshadow-, run the command:

$ sudo chown root /etc/gshadow-

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing user ownership of /etc/gshadow- passed because these items were not found:

Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow-	oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1

Verify User Who Owns Backup passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2, 2.2.6

Description

To properly set the owner of /etc/passwd-, run the command:

$ sudo chown root /etc/passwd-

Rationale

OVAL details

Testing user ownership of /etc/passwd- passed because these items were not found:

Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd-	oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1

Verify Group Who Owns Backup shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.6, 2.2.6

Description

To properly set the owner of /etc/shadow-, run the command:

$ sudo chown root /etc/shadow-

Rationale

The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

OVAL details

Testing user ownership of /etc/shadow- passed because these items were not found:

Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow-	oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1

Verify User Who Owns group File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_group

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3, R50, 2.2.6

Description

To properly set the owner of /etc/group, run the command:

$ sudo chown root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing user ownership of /etc/group passed because these items were not found:

Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group	oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1	oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1

Verify User Who Owns gshadow File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.7, R50

Description

To properly set the owner of /etc/gshadow, run the command:

$ sudo chown root /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing user ownership of /etc/gshadow passed because these items were not found:

Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow	oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1	oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1

Verify User Who Owns passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_passwd

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the owner of /etc/passwd, run the command:

$ sudo chown root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing user ownership of /etc/passwd passed because these items were not found:

Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd	oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1	oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1

Verify User Who Owns shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_shadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the owner of /etc/shadow, run the command:

$ sudo chown root /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL details

Testing user ownership of /etc/shadow passed because these items were not found:

Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow	oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1	oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1

Verify Permissions on Backup group File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4, 2.2.6

Description

To properly set the permissions of /etc/group-, run the command:

$ sudo chmod 0644 /etc/group-

Rationale

OVAL details

Testing mode of /etc/group- passed because these items were not found:

Object oval:ssg-object_file_permissions_backup_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group-	oval:ssg-exclude_symlinks__backup_etc_group:ste:1	oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1

Verify Permissions on Backup gshadow File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.8

Description

To properly set the permissions of /etc/gshadow-, run the command:

$ sudo chmod 0640 /etc/gshadow-

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing mode of /etc/gshadow- passed because these items were not found:

Object oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow-	oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1	oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0640or_stricter_:ste:1

Verify Permissions on Backup passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2, 2.2.6

Description

To properly set the permissions of /etc/passwd-, run the command:

$ sudo chmod 0644 /etc/passwd-

Rationale

OVAL details

Testing mode of /etc/passwd- passed because these items were not found:

Object oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd-	oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1	oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1

Verify Permissions on Backup shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-002223, AC-6 (1), Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.6, 2.2.6

Description

To properly set the permissions of /etc/shadow-, run the command:

$ sudo chmod 0640 /etc/shadow-

Rationale

The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

OVAL details

Testing mode of /etc/shadow- passed because these items were not found:

Object oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow-	oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1	oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0640or_stricter_:ste:1

Verify Permissions on group File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_group

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the permissions of /etc/group, run the command:

$ sudo chmod 0644 /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing mode of /etc/group passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group	oval:ssg-exclude_symlinks__etc_group:ste:1	oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1

Verify Permissions on gshadow File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the permissions of /etc/gshadow, run the command:

$ sudo chmod 0640 /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing mode of /etc/gshadow passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow	oval:ssg-exclude_symlinks__etc_gshadow:ste:1	oval:ssg-state_file_permissions_etc_gshadow_0_mode_0640or_stricter_:ste:1

Verify Permissions on passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the permissions of /etc/passwd, run the command:

$ sudo chmod 0644 /etc/passwd

Rationale

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

OVAL details

Testing mode of /etc/passwd passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd	oval:ssg-exclude_symlinks__etc_passwd:ste:1	oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1

Verify Permissions on shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0640 /etc/shadow

Rationale

OVAL details

Testing mode of /etc/shadow passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow	oval:ssg-exclude_symlinks__etc_shadow:ste:1	oval:ssg-state_file_permissions_etc_shadow_0_mode_0640or_stricter_:ste:1

Verify that audit tools are owned by group root

Rule ID

xccdf_org.ssgproject.content_rule_file_groupownership_audit_binaries

Result

pass

Time

2025-05-13T15:26:36

Severity

medium

Identifiers and References

References: CCI-001493, CCI-001494, SRG-OS-000256-GPiOS-00097, SRG-OS-000257-GPOS-00098, 4.1.4.10

Description

The Ubuntu 22.04 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command:

$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

OVAL details

Testing group ownership of /sbin/auditctl passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_0:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/auditctl	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_0:ste:1

Testing group ownership of /sbin/aureport passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_1:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/aureport	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_1:ste:1

Testing group ownership of /sbin/ausearch passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_2:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/ausearch	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_2:ste:1

Testing group ownership of /sbin/autrace passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_3:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/autrace	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_3:ste:1

Testing group ownership of /sbin/auditd passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_4:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/auditd	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_4:ste:1

Testing group ownership of /sbin/audispd passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_5:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/audispd	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_5:ste:1

Testing group ownership of /sbin/augenrules passed because these items were not found:

Object oval:ssg-object_file_groupownership_audit_binaries_6:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/augenrules	oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_groupownership_audit_binaries_gid_0_6:ste:1

Verify that audit tools are owned by root

Rule ID

xccdf_org.ssgproject.content_rule_file_ownership_audit_binaries

Result

pass

Time

2025-05-13T15:26:36

Severity

medium

Identifiers and References

References: CCI-001493, CCI-001494, SRG-OS-000256-GPiOS-00097, SRG-OS-000257-GPOS-00098, UBTU-22-232110, 4.1.4.9

Description

The Ubuntu 22.04 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command:

$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

OVAL details

Testing user ownership of /sbin/auditctl passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_0:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/auditctl	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_0:ste:1

Testing user ownership of /sbin/aureport passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_1:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/aureport	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_1:ste:1

Testing user ownership of /sbin/ausearch passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_2:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/ausearch	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_2:ste:1

Testing user ownership of /sbin/autrace passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_3:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/autrace	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_3:ste:1

Testing user ownership of /sbin/auditd passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_4:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/auditd	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_4:ste:1

Testing user ownership of /sbin/audispd passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_5:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/audispd	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_5:ste:1

Testing user ownership of /sbin/augenrules passed because these items were not found:

Object oval:ssg-object_file_ownership_audit_binaries_6:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/augenrules	oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1	oval:ssg-state_file_ownership_audit_binaries_uid_0_6:ste:1

Verify that audit tools Have Mode 0755 or less

Rule ID

xccdf_org.ssgproject.content_rule_file_permissions_audit_binaries

Result

pass

Time

2025-05-13T15:26:36

Severity

medium

Identifiers and References

References: CCI-001493, CCI-001494, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, UBTU-22-232035, 4.1.4.8

Description

The Ubuntu 22.04 operating system audit tools must have the proper permissions configured to protected against unauthorized access. Verify it by running the following command:

$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl 755
/sbin/aureport 755
/sbin/ausearch 755
/sbin/autrace 755
/sbin/auditd 755
/sbin/audispd 755
/sbin/augenrules 755

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

OVAL details

Testing mode of /sbin/auditctl passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_0:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/auditctl	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_0_mode_0755or_stricter_:ste:1

Testing mode of /sbin/aureport passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_1:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/aureport	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_1_mode_0755or_stricter_:ste:1

Testing mode of /sbin/ausearch passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_2:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/ausearch	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_2_mode_0755or_stricter_:ste:1

Testing mode of /sbin/autrace passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_3:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/autrace	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_3_mode_0755or_stricter_:ste:1

Testing mode of /sbin/auditd passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_4:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/auditd	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_4_mode_0755or_stricter_:ste:1

Testing mode of /sbin/audispd passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_5:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/audispd	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_5_mode_0755or_stricter_:ste:1

Testing mode of /sbin/augenrules passed because these items were not found:

Object oval:ssg-object_file_permissions_audit_binaries_6:obj:1 of type file_object

Filepath	Filter	Filter
/sbin/augenrules	oval:ssg-exclude_symlinks__audit_binaries:ste:1	oval:ssg-state_file_permissions_audit_binaries_6_mode_0755or_stricter_:ste:1

Verify Permissions on /etc/audit/auditd.conf

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, UBTU-22-653065, 4.1.4.5

Description

To properly set the permissions of /etc/audit/auditd.conf, run the command:

$ sudo chmod 0640 /etc/audit/auditd.conf

Rationale

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

OVAL details

Testing mode of /etc/audit/auditd.conf passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_audit_auditd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/audit/auditd.conf	oval:ssg-exclude_symlinks__etc_audit_auditd:ste:1	oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1

Verify Permissions on /etc/audit/rules.d/*.rules

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd

Result

pass

Time 2025-05-13T15:24:35

Severity medium

Identifiers and References

References: CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, UBTU-22-653065, 4.1.4.5

Description

To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:

$ sudo chmod 0640 /etc/audit/rules.d/*.rules

Rationale

OVAL details

Testing mode of /etc/audit/rules.d/ passed because these items were not found:

Object oval:ssg-object_file_permissions_etc_audit_rulesd_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/audit/rules.d	^.*rules$	oval:ssg-exclude_symlinks__etc_audit_rulesd:ste:1	oval:ssg-state_file_permissions_etc_audit_rulesd_0_mode_0640or_stricter_:ste:1

Ensure No World-Writable Files Exist

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable

Result

fail

Time 2025-05-13T15:25:13

Severity medium

Identifiers and References

Description

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs.

Rationale

Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

Warnings

warning This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of files present on the system. It is not a problem in most cases, but especially systems with a large number of files can be affected. See https://access.redhat.com/articles/6999111.

OVAL details

Check the existence of world-writable files failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/home/arthur/Desktop/DGSE/service_3/Victim/Victim-file1.iso	regular	1000	1000	662700032	`rw-rw-rw-`
/home/arthur/.ftba/bin/runtime/OpenJDK8U-jre_x64_linux_hotspot_8u312b07/jdk8u312-b07-jre/lib/amd64/server/libjsig.so	regular	1000	1000	0	`rwxrwxrwx`
/home/arthur/Desktop/DGSE/service_3/Victim/Victim.mf	regular	1000	1000	268	`rw-rw-rw-`
/tmp/results.xml	regular	0	0	8402525	`rwxrwxrwx`
/home/arthur/Desktop/DGSE/service_3/Victim/Victim-disk1.vmdk	regular	1000	1000	4023116288	`rw-rw-rw-`
/home/arthur/.ftba/bin/runtime/OpenJDK8U-jre_x64_linux_hotspot_8u312b07/jdk8u312-b07-jre/man/ja	regular	1000	1000	0	`rwxrwxrwx`
/home/arthur/Desktop/404/.wh..git	regular	1000	1000	0	`rwxrwxrwx`
/home/arthur/Desktop/DGSE/service_3/Victim/Victim.ovf	regular	1000	1000	11853	`rw-rw-rw-`
/tmp/report.html	regular	0	0	681838	`rwxrwxrwx`

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure


FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }')
for PARTITION in $PARTITIONS; do
  find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
done

# Ensure /tmp is also fixed whem tmpfs is used.
if grep "^tmpfs /tmp" /proc/mounts; then
  find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
fi

Ensure All Files Are Owned by a Group

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned

Result

pass

Time 2025-05-13T15:25:57

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, 6.1.11, R53, 2.2.6

Description

If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appropriate group. Locate the mount points related to local devices by the following command:

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid group using the following command:

$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Warnings

warning This rule only considers local groups as valid groups. If you have your groups defined outside /etc/group, the rule won't consider those.

OVAL details

there are no files with group owner different than local groups passed because these items were not found:

Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type file_object

Behaviors

Path

Filename

Filter

/snap/core/17210
/snap/bare/5
/snap/core/17200
/snap/core18/2855
/snap/core18/2846
/snap/core20/2501
/snap/core22/1908
/snap/core20/2571
/snap/core22/1963
/snap/core24/888
/snap/core24/739
/snap/dalfox/313
/snap/discord/238
/snap/discord/239
/snap/ffmpeg-2404/55
/snap/ffmpeg-2404/59
/snap/firefox/6073
/snap/firefox/6103
/snap/gimp/515
/snap/gimp/517
/snap/gnome-3-28-1804/198
/snap/gnome-3-38-2004/143
/snap/gnome-42-2204/176
/snap/gnome-42-2204/202
/snap/gnome-46-2404/77
/snap/gtk2-common-themes/13
/snap/gnome-46-2404/90
/snap/gtk-common-themes/1535
/snap/maxautoclicker/1
/snap/mesa-2404/495
/snap/metasploit-framework/1970
/snap/metasploit-framework/2025
/snap/netflix-web/1
/snap/quick-blackjack/1
/snap/seclists/900
/snap/snap-store/1216
/snap/snap-store/959
/snap/snapd/23771
/snap/snapd/24505
/snap/snapd-desktop-integration/253
/snap/snapd-desktop-integration/83
/snap/telegram-desktop/6593
/snap/telegram-desktop/6597
/snap/walc/19
/snap/wine-platform-runtime/397
/snap/wine-platform-5-stable/18
/boot/efi
/
/var/snap/firefox/common/host-hunspell
0
1
2
3
4
5
6
7
8
9
10
12
13
15
20
21
22
24
25
26
27
29
30
33
34
37
38
39
40
41
42
43
44
45
46
50
60
100
65534
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
1000
136
137
138
139

no value

oval:ssg-state_file_permissions_ungroupowned_local_group_owner:ste:1

Ensure All Files Are Owned by a User

Rule ID xccdf_org.ssgproject.content_rule_no_files_unowned_by_user

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 6.1.10, R53, 2.2.6

Description

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. Locate the mount points related to local devices by the following command:

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid user using the following command:

$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Rationale

Warnings

warning For this rule to evaluate centralized user accounts, getent must be working properly so that running the command

getent passwd

returns a list of all users in your organization. If using the System Security Services Daemon (SSSD),

enumerate = true

must be configured in your organization's domain to return a complete list of users

OVAL details

there are no files without a known owner passed because these items were not found:

Object oval:ssg-object_no_files_unowned_by_user:obj:1 of type file_object

Behaviors

Path

Filename

Filter

0
1
2
3
4
5
6
7
8
9
10
13
33
34
38
39
41
65534
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
1000
129
130
/snap/core/17210
/snap/bare/5
/snap/core/17200
/snap/core18/2855
/snap/core18/2846
/snap/core20/2501
/snap/core22/1908
/snap/core20/2571
/snap/core22/1963
/snap/core24/888
/snap/core24/739
/snap/dalfox/313
/snap/discord/238
/snap/discord/239
/snap/ffmpeg-2404/55
/snap/ffmpeg-2404/59
/snap/firefox/6073
/snap/firefox/6103
/snap/gimp/515
/snap/gimp/517
/snap/gnome-3-28-1804/198
/snap/gnome-3-38-2004/143
/snap/gnome-42-2204/176
/snap/gnome-42-2204/202
/snap/gnome-46-2404/77
/snap/gtk2-common-themes/13
/snap/gnome-46-2404/90
/snap/gtk-common-themes/1535
/snap/maxautoclicker/1
/snap/mesa-2404/495
/snap/metasploit-framework/1970
/snap/metasploit-framework/2025
/snap/netflix-web/1
/snap/quick-blackjack/1
/snap/seclists/900
/snap/snap-store/1216
/snap/snap-store/959
/snap/snapd/23771
/snap/snapd/24505
/snap/snapd-desktop-integration/253
/snap/snapd-desktop-integration/83
/snap/telegram-desktop/6593
/snap/telegram-desktop/6597
/snap/walc/19
/snap/wine-platform-runtime/397
/snap/wine-platform-5-stable/18
/boot/efi
/
/var/snap/firefox/common/host-hunspell

no value

oval:ssg-state_no_files_unowned_by_user_uids_list:ste:1

Verify permissions of log files

Rule ID xccdf_org.ssgproject.content_rule_permissions_local_var_log

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-001312, SI-11(a), SI-11(b), SI-11.1(iii), PR.AC-4, PR.DS-5, SRG-OS-000205-GPOS-00083, UBTU-22-232026, 4.2.3, 10.3.1

Description

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.

Rationale

The Ubuntu 22.04 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

OVAL details

Testing mode of /var/log/ failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/var/log/dpkg.log.3.gz	regular	0	0	4083	`rw-r--r--`
/var/log/forticlient	directory	0	0	4096	`rwxr-x--x`
/var/log/installer/initial-status.gz	regular	0	0	390193	`rw-rw-r--`
/var/log/alternatives.log.3.gz	regular	0	0	439	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades.log	regular	0	0	15033	`rw-r--r--`
/var/log/gdm3	directory	0	134	4096	`rwx--x--x`
/var/log/ubuntu-advantage.log.1	regular	0	0	14055	`rw-r--r--`
/var/log/alternatives.log.4.gz	regular	0	0	5681	`rw-r--r--`
/var/log/apt/history.log.1.gz	regular	0	0	4506	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades.log.3.gz	regular	0	0	1159	`rw-r--r--`
/var/log/vbox-setup.log.2	regular	0	0	102	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades.log.1.gz	regular	0	0	1825	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-shutdown.log.1.gz	regular	0	0	128	`rw-r--r--`
/var/log/alternatives.log.2.gz	regular	0	0	1072	`rw-r--r--`
/var/log/vbox-setup.log.3	regular	0	0	102	`rw-r--r--`
/var/log/vbox-setup.log.1	regular	0	0	102	`rw-r--r--`
/var/log/teamviewer15/signaturekey.log	regular	0	0	525	`rw-r--r--`
/var/log/installer/telemetry	regular	0	0	521	`rw-r--r--`
/var/log/apt/history.log.2.gz	regular	0	0	3544	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	regular	0	0	0	`rw-r--r--`
/var/log/alternatives.log.1	regular	0	0	8382	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log.4.gz	regular	0	4	4429	`rw-r--r--`
/var/log/ubuntu-advantage-apt-hook.log	regular	0	0	0	`rw-r--r--`
/var/log/private	directory	0	0	4096	`rwx------`
/var/log/teamviewer15/TVNetwork.log	regular	0	0	79808	`rw-r--r--`
/var/log/dpkg.log	regular	0	0	338355	`rw-r--r--`
/var/log/teamviewer15/install_teamviewerd.log	regular	0	0	913	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log.1.gz	regular	0	4	3260	`rw-r--r--`
/var/log/teamviewer15/TeamViewer15_Logfile.log	regular	0	0	720330	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log	regular	0	4	41146	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log.2.gz	regular	0	4	2761	`rw-r--r--`
/var/log/vbox-setup.log	regular	0	0	102	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades.log.2.gz	regular	0	0	1526	`rw-r--r--`
/var/log/alternatives.log	regular	0	0	2463	`rw-r--r--`
/var/log/ubuntu-advantage.log	regular	0	0	0	`rw-r--r--`
/var/log/installer/media-info	regular	0	0	65	`rw-r--r--`
/var/log/dpkg.log.4.gz	regular	0	0	133580	`rw-r--r--`
/var/log/fontconfig.log	regular	0	0	12755	`rw-r--r--`
/var/log/apt/history.log.3.gz	regular	0	0	1161	`rw-r--r--`
/var/log/btmp.1	regular	0	43	0	`rw-rw----`
/var/log/speech-dispatcher	directory	119	0	4096	`rwx------`
/var/log/unattended-upgrades/unattended-upgrades.log.4.gz	regular	0	0	2183	`rw-r--r--`
/var/log/dpkg.log.1	regular	0	0	226850	`rw-r--r--`
/var/log/gpu-manager.log	regular	0	0	1489	`rw-r--r--`
/var/log/faillog	regular	0	0	32032	`rw-r--r--`
/var/log/bootstrap.log	regular	0	0	108494	`rw-r--r--`
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log.3.gz	regular	0	4	2007	`rw-r--r--`
/var/log/apt/history.log.4.gz	regular	0	0	36509	`rw-r--r--`
/var/log/dpkg.log.2.gz	regular	0	0	12962	`rw-r--r--`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Find /var/log/ file(s) recursively
  command: find -H /var/log/  -perm /u+xs,g+xws,o+xwrt ! -name "history.log" ! -name
    "eipp.log.xz" ! -name "*[bw]tmp" ! -name "*lastlog" -type f -regex ".*"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  tags:
  - DISA-STIG-UBTU-22-232026
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - NIST-800-53-SI-11.1(iii)
  - PCI-DSSv4-10.3.1
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_var_log

- name: Set permissions for /var/log/ file(s)
  file:
    path: '{{ item }}'
    mode: u-xs,g-xws,o-xwrt
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - DISA-STIG-UBTU-22-232026
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - NIST-800-53-SI-11.1(iii)
  - PCI-DSSv4-10.3.1
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_var_log

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure






find -H /var/log/  -perm /u+xs,g+xws,o+xwrt ! -name 'history.log' ! -name 'eipp.log.xz' ! -name '*[bw]tmp' ! -name '*lastlog' -type f -regex '.*' -exec chmod u-xs,g-xws,o-xwrt {} \;

Disable the Automounter

Rule ID	xccdf_org.ssgproject.content_rule_service_autofs_disabled
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.1.9
Description	The `autofs` daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as `/misc/cd`. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing `/etc/fstab` rather than relying on the automounter. The `autofs` service can be disabled with the following command: $ sudo systemctl mask --now autofs.service
Rationale	Disabling the automounter permits the administrator to statically control filesystem mounting through `/etc/fstab`. Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Disable Mounting of cramfs

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled

Result

fail

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, 1.1.1.1

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:

install cramfs /bin/true

This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the server.

OVAL details

kernel module cramfs blacklisted failed because these items were missing:

Object oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^blacklist\s+cramfs$

kernel module cramfs disabled failed because these items were missing:

Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^\s*install\s+cramfs\s+(/bin/false|/bin/true)$

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'cramfs' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/cramfs.conf
    regexp: install\s+cramfs
    line: install cramfs /bin/false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.4.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - kernel_module_cramfs_disabled
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required

- name: Ensure kernel module 'cramfs' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/cramfs.conf
    regexp: ^blacklist cramfs$
    line: blacklist cramfs
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.4.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - kernel_module_cramfs_disabled
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
	
	sed -i 's#^install cramfs.*#install cramfs /bin/false#g' /etc/modprobe.d/cramfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
	echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then
	echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Modprobe Loading of USB Storage Driver

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, SRG-APP-000141-CTR-000315, UBTU-22-291010, 1.1.10, 3.4.2

Description

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:

install usb-storage /bin/true

This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale

USB storage devices such as thumb drives can be used to introduce malicious software.

OVAL details

kernel module usb-storage blacklisted failed because these items were missing:

Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^blacklist\s+usb-storage$

kernel module usb-storage disabled failed because these items were missing:

Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'usb-storage' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/usb-storage.conf
    regexp: install\s+usb-storage
    line: install usb-storage /bin/false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-291010
  - NIST-800-171-3.1.21
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - PCI-DSSv4-3.4.2
  - disable_strategy
  - kernel_module_usb-storage_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'usb-storage' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/usb-storage.conf
    regexp: ^blacklist usb-storage$
    line: blacklist usb-storage
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-291010
  - NIST-800-171-3.1.21
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - PCI-DSSv4-3.4.2
  - disable_strategy
  - kernel_module_usb-storage_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then
	
	sed -i 's#^install usb-storage.*#install usb-storage /bin/false#g' /etc/modprobe.d/usb-storage.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf
	echo "install usb-storage /bin/false" >> /etc/modprobe.d/usb-storage.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then
	echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Add nodev Option to /dev/shm

Rule ID xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.8.1

Description

The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

OVAL details

nodev on /dev/shm failed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	inode64	2008028	1841	2006187

/dev/shm exists failed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	inode64	2008028	1841	2006187

nodev on /dev/shm in /etc/fstab failed because these items were missing:

Object oval:ssg-object_dev_shm_partition_nodev_expected_in_fstab:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+)	1

State oval:ssg-state_dev_shm_partition_nodev_expected_in_fstab:ste:1 of type textfilecontent54_state

Instance	Subexpression
1	nodev

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
  command: findmnt  '/dev/shm'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /dev/shm
    - tmpfs
    - tmpfs
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("" | length == 0)
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length == 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
  mount:
    path: /dev/shm
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
    length == 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nodev
  - no_reboot_needed

Remediation Shell script: (show)

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    


    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type="tmpfs"
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/dev/shm"; then
        if mountpoint -q "/dev/shm"; then
            mount -o remount --target "/dev/shm"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Add noexec Option to /dev/shm

Rule ID xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.

OVAL details

noexec on /dev/shm failed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	inode64	2008028	1841	2006187

/dev/shm exists failed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	inode64	2008028	1841	2006187

noexec on /dev/shm in /etc/fstab failed because these items were missing:

Object oval:ssg-object_dev_shm_partition_noexec_expected_in_fstab:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+)	1

State oval:ssg-state_dev_shm_partition_noexec_expected_in_fstab:ste:1 of type textfilecontent54_state

Instance	Subexpression
1	noexec

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
  command: findmnt  '/dev/shm'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /dev/shm
    - tmpfs
    - tmpfs
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("" | length == 0)
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length == 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
    /dev/shm options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
  mount:
    path: /dev/shm
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
    length == 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

Remediation Shell script: (show)

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    


    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type="tmpfs"
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/dev/shm"; then
        if mountpoint -q "/dev/shm"; then
            mount -o remount --target "/dev/shm"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Add nosuid Option to /dev/shm

Rule ID xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

OVAL details

nosuid on /dev/shm failed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	inode64	2008028	1841	2006187

/dev/shm exists failed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	inode64	2008028	1841	2006187

nosuid on /dev/shm in /etc/fstab failed because these items were missing:

Object oval:ssg-object_dev_shm_partition_nosuid_expected_in_fstab:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+)	1

State oval:ssg-state_dev_shm_partition_nosuid_expected_in_fstab:ste:1 of type textfilecontent54_state

Instance	Subexpression
1	nosuid

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
  command: findmnt  '/dev/shm'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /dev/shm
    - tmpfs
    - tmpfs
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("" | length == 0)
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length == 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to
    /dev/shm options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'
  mount:
    path: /dev/shm
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
    length == 0)
  tags:
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_nosuid
  - no_reboot_needed

Remediation Shell script: (show)

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    


    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type="tmpfs"
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/dev/shm"; then
        if mountpoint -q "/dev/shm"; then
            mount -o remount --target "/dev/shm"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Add nodev Option to /home

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_home_nodev
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	unknown
Identifiers and References	References: SRG-OS-000368-GPOS-00154, 1.1.7.2
Description	The `nodev` mount option can be used to prevent device files from being created in `/home`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add nosuid Option to /home

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, 1.1.7.3, R28
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/home`. The SUID and SGID permissions should not be required in these user data directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.

Add nodev Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.2.2
Description	The `nodev` mount option can be used to prevent device files from being created in `/tmp`. Legitimate character and block devices should not exist within temporary directories like `/tmp`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.2.3, R28
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	Allowing users to execute binaries from world-writable directories such as `/tmp` should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.2.4, R28
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Add nodev Option to /var/log/audit

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.6.3
Description	The `nodev` mount option can be used to prevent device files from being created in `/var/log/audit`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log/audit`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/log/audit

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.6.2
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/log/audit`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log/audit`.
Rationale	Allowing users to execute binaries from directories containing audit log files such as `/var/log/audit` should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/log/audit

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.6.4
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/log/audit`. The SUID and SGID permissions should not be required in directories containing audit log files. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log/audit`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.

Add nodev Option to /var/log

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5.2
Description	The `nodev` mount option can be used to prevent device files from being created in `/var/log`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/log

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5.3, R28
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/log`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.
Rationale	Allowing users to execute binaries from directories containing log files such as `/var/log` should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/log

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5.4, R28
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/log`. The SUID and SGID permissions should not be required in directories containing log files. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.

Add nodev Option to /var

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_nodev
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.3.2
Description	The `nodev` mount option can be used to prevent device files from being created in `/var`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add nosuid Option to /var

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_nosuid
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 1.1.3.3, R28
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var`. The SUID and SGID permissions should not be required for this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.
Rationale	The presence of SUID and SGID executables should be tightly controlled.

Add nodev Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, SRG-OS-000368-GPOS-00154, 1.1.4.4
Description	The `nodev` mount option can be used to prevent device files from being created in `/var/tmp`. Legitimate character and block devices should not exist within temporary directories like `/var/tmp`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, SRG-OS-000368-GPOS-00154, 1.1.4.2, R28
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	Allowing users to execute binaries from world-writable directories such as `/var/tmp` should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-001764, SRG-OS-000368-GPOS-00154, 1.1.4.3, R28
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Disable Core Dumps for All Users

Rule ID xccdf_org.ssgproject.content_rule_disable_users_coredumps

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, SRG-OS-000480-GPOS-00227, 1.5.4, 3.3.1.1

Description

To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:

*     hard   core    0

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

OVAL details

Tests the value of the ^[\s]\[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory failed because these items were missing:

Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:hard\|-)[\s]+core[\s]+([\d]+)	1

State oval:ssg-state_core_dumps_limits_d:ste:1 of type textfilecontent54_state

Subexpression
0

Tests for existance of the ^[\s]\[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory failed because these items were missing:

Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:hard\|-)[\s]+core	1

Tests the value of the ^[\s]\[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file failed because these items were missing:

Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/limits.conf	^[\s]\[\s]+(?:hard\|-)[\s]+core[\s]+([\d]+)	1

State oval:ssg-state_core_dumps_limitsconf:ste:1 of type textfilecontent54_state

Subexpression
0

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - PCI-DSSv4-3.3.1.1
  - disable_users_coredumps
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Disable core dumps with limits
  lineinfile:
    dest: /etc/security/limits.conf
    regexp: ^[^#].*core
    line: '*        hard       core      0'
    create: true
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - PCI-DSSv4-3.3.1.1
  - disable_users_coredumps
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

SECURITY_LIMITS_FILE="/etc/security/limits.conf"

if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
        sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE
else
        echo "*     hard   core    0" >> $SECURITY_LIMITS_FILE
fi

if ls /etc/security/limits.d/*.conf > /dev/null; then
        sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Core Dumps for SUID programs

Rule ID xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), 1.5.4, R14, 3.3.1.1

Description

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:

$ sudo sysctl -w fs.suid_dumpable=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.suid_dumpable = 0

Rationale

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*fs.suid_dumpable.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - PCI-DSSv4-3.3.1.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_fs_suid_dumpable

- name: Comment out any occurrences of fs.suid_dumpable from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*fs.suid_dumpable
    replace: '#fs.suid_dumpable'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - PCI-DSSv4-3.3.1.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_fs_suid_dumpable

- name: Ensure sysctl fs.suid_dumpable is set to 0
  sysctl:
    name: fs.suid_dumpable
    value: '0'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - PCI-DSSv4-3.3.1.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_fs_suid_dumpable

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "fs.suid_dumpable" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"


#
# Set runtime for fs.suid_dumpable
#
/sbin/sysctl -q -n -w fs.suid_dumpable="0"

#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#	else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Randomized Layout of Virtual Address Space

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, UBTU-22-213020, 1.5.1, R9, 3.3.1.1

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

$ sudo sysctl -w kernel.randomize_va_space=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /usr/lib/sysctl.d/
    contains: ^[\s]*kernel.randomize_va_space.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-213020
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - PCI-DSSv4-3.3.1.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

- name: Comment out any occurrences of kernel.randomize_va_space from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.randomize_va_space
    replace: '#kernel.randomize_va_space'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-213020
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - PCI-DSSv4-3.3.1.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

- name: Ensure sysctl kernel.randomize_va_space is set to 2
  sysctl:
    name: kernel.randomize_va_space
    value: '2'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-22-213020
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - PCI-DSSv4-3.3.1.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

Remediation Shell script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "kernel.randomize_va_space" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE="/etc/sysctl.conf"


#
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space="2"

#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "2"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Apport Service

Rule ID xccdf_org.ssgproject.content_rule_service_apport_disabled

Result

fail

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 1.5.3

Description

The Apport modifies certain kernel configuration values at runtime which may decrease the overall security of the system and expose sensitive data. The apport service can be disabled with the following command:

$ sudo systemctl mask --now apport.service

Rationale

The Apport service modifies the kernel fs.suid_dumpable configuration at runtime which prevents other hardening from being persistent. Disabling the service prevents this behavior.

OVAL details

package apport is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
apport	all	0	0ubuntu82.6	2.20.11	0:2.20.11-0ubuntu82.6

Test that the apport service is not running failed because of these items:

Unit	Property	Value
apport.service	ActiveState	active

Test that the property LoadState from the service apport is masked failed because of these items:

Unit	Property	Value
apport.service	LoadState	loaded

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Disable Apport Service - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"apport" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Disable Apport Service - Ensure "apport.service" is Masked
  ansible.builtin.systemd:
    name: apport.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"apport" in ansible_facts.packages'
  - service_exists.stdout_lines is search("apport.service",multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Unit Socket Exists - apport.socket
  ansible.builtin.command: systemctl -q list-unit-files apport.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"apport" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Disable socket apport
  ansible.builtin.systemd:
    name: apport.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - '"apport" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("apport.socket",multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include disable_apport

class disable_apport {
  service {'apport':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'apport' 2>/dev/null | grep -q installed; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'apport.service'
"$SYSTEMCTL_EXEC" disable 'apport.service'
"$SYSTEMCTL_EXEC" mask 'apport.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files apport.socket; then
    "$SYSTEMCTL_EXEC" stop 'apport.socket'
    "$SYSTEMCTL_EXEC" mask 'apport.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'apport.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: apport.service
        enabled: false
        mask: true
      - name: apport.socket
        enabled: false
        mask: true

Remediation script: (show)


[customizations.services]
masked = ["apport"]

Uninstall avahi Server Package

Rule ID xccdf_org.ssgproject.content_rule_package_avahi_removed

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.2

Description

If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.

Rationale

Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.

OVAL details

package avahi-daemon is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
avahi-daemon	amd64	0	5ubuntu5.2	0.8	0:0.8-5ubuntu5.2

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure avahi-daemon is removed
  package:
    name: avahi-daemon
    state: absent
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_avahi_removed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_avahi-daemon

class remove_avahi-daemon {
  package { 'avahi-daemon':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove avahi-daemon
#	   from the system, and may remove any packages
#	   that depend on avahi-daemon. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "avahi-daemon"

Disable Avahi Server Software

Rule ID xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

The avahi-daemon service can be disabled with the following command:

$ sudo systemctl mask --now avahi-daemon.service

Rationale

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.

OVAL details

package avahi-daemon is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
avahi-daemon	amd64	0	5ubuntu5.2	0.8	0:0.8-5ubuntu5.2

Test that the avahi-daemon service is not running failed because of these items:

Unit	Property	Value
avahi-daemon.service	ActiveState	active
avahi-daemon.socket	ActiveState	active

Test that the property LoadState from the service avahi-daemon is masked failed because of these items:

Unit	Property	Value
avahi-daemon.socket	LoadState	loaded
avahi-daemon.service	LoadState	loaded

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_avahi-daemon_disabled

- name: Disable Avahi Server Software - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
    "container"] and "avahi-daemon" in ansible_facts.packages )
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_avahi-daemon_disabled

- name: Disable Avahi Server Software - Ensure "avahi-daemon.service" is Masked
  ansible.builtin.systemd:
    name: avahi-daemon.service
    state: stopped
    enabled: false
    masked: true
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and "avahi-daemon" in ansible_facts.packages )
  - service_exists.stdout_lines is search("avahi-daemon.service",multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_avahi-daemon_disabled

- name: Unit Socket Exists - avahi-daemon.socket
  ansible.builtin.command: systemctl -q list-unit-files avahi-daemon.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
    "container"] and "avahi-daemon" in ansible_facts.packages )
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_avahi-daemon_disabled

- name: Disable socket avahi-daemon
  ansible.builtin.systemd:
    name: avahi-daemon.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and "avahi-daemon" in ansible_facts.packages )
  - socket_file_exists.stdout_lines is search("avahi-daemon.socket",multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_avahi-daemon_disabled

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include disable_avahi-daemon

class disable_avahi-daemon {
  service {'avahi-daemon':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'avahi-daemon' 2>/dev/null | grep -q installed ); then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service'
"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service'
"$SYSTEMCTL_EXEC" mask 'avahi-daemon.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files avahi-daemon.socket; then
    "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket'
    "$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: avahi-daemon.service
        enabled: false
        mask: true
      - name: avahi-daemon.socket
        enabled: false
        mask: true

Remediation script: (show)


[customizations.services]
masked = ["avahi-daemon"]

Ensure that /etc/at.deny does not exist

Rule ID xccdf_org.ssgproject.content_rule_file_at_deny_not_exist

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.1.9, 2.2.6

Description

The file /etc/at.deny should not exist. Use /etc/at.allow instead.

Rationale

Access to at should be restricted. It is easier to manage an allow list than a deny list.

OVAL details

Test that that /etc/at.deny does not exist passed because these items were not found:

Object oval:ssg-object_file_at_deny_not_exist:obj:1 of type file_object

Filepath
/etc/at.deny

Ensure that /etc/cron.deny does not exist

Rule ID xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.1.8, 2.2.6

Description

The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.

Rationale

Access to cron should be restricted. It is easier to manage an allow list than a deny list.

OVAL details

Test that that /etc/cron.deny does not exist passed because these items were not found:

Object oval:ssg-object_file_cron_deny_not_exist:obj:1 of type file_object

Filepath
/etc/cron.deny

Verify Group Who Owns /etc/at.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_at_allow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.1.9, 2.2.6

Description

If /etc/at.allow exists, it must be group-owned by root. To properly set the group owner of /etc/at.allow, run the command:

$ sudo chgrp root /etc/at.allow

Rationale

If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing group ownership of /etc/at.allow passed because these items were not found:

Object oval:ssg-object_file_groupowner_at_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/at.allow	oval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1	oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1

Verify Group Who Owns /etc/cron.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.8, 2.2.6

Description

If /etc/cron.allow exists, it must be group-owned by crontab. To properly set the group owner of /etc/cron.allow, run the command:

$ sudo chgrp crontab /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to crontab, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing group ownership of /etc/cron.allow passed because these items were not found:

Object oval:ssg-object_file_groupowner_cron_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/cron.allow	oval:ssg-symlink_file_groupowner_cron_allow_uid_crontab:ste:1	oval:ssg-state_file_groupowner_cron_allow_gid_crontab_0:ste:1

Verify User Who Owns /etc/at.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_owner_at_allow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.1.9, 2.2.6

Description

If /etc/at.allow exists, it must be owned by root. To properly set the owner of /etc/at.allow, run the command:

$ sudo chown root /etc/at.allow

Rationale

If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing user ownership of /etc/at.allow passed because these items were not found:

Object oval:ssg-object_file_owner_at_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/at.allow	oval:ssg-symlink_file_owner_at_allow_uid_0:ste:1	oval:ssg-state_file_owner_at_allow_uid_0_0:ste:1

Verify User Who Owns /etc/cron.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_allow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command:

$ sudo chown root /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing user ownership of /etc/cron.allow passed because these items were not found:

Object oval:ssg-object_file_owner_cron_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/cron.allow	oval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1	oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1

Verify Permissions on /etc/at.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_at_allow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.1.9, 2.2.6

Description

If /etc/at.allow exists, it must have permissions 0640 or more restrictive. To properly set the permissions of /etc/at.allow, run the command:

$ sudo chmod 0640 /etc/at.allow

Rationale

If the permissions of the at.allow file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing mode of /etc/at.allow passed because these items were not found:

Object oval:ssg-object_file_permissions_at_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/at.allow	oval:ssg-exclude_symlinks__at_allow:ste:1	oval:ssg-state_file_permissions_at_allow_0_mode_0640or_stricter_:ste:1

Verify Permissions on /etc/cron.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_allow

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: SRG-OS-000480-GPOS-00227, 5.1.8, 2.2.6

Description

If /etc/cron.allow exists, it must have permissions 0640 or more restrictive. To properly set the permissions of /etc/cron.allow, run the command:

$ sudo chmod 0640 /etc/cron.allow

Rationale

If the permissions of the cron.allow file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing mode of /etc/cron.allow passed because these items were not found:

Object oval:ssg-object_file_permissions_cron_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/cron.allow	oval:ssg-exclude_symlinks__cron_allow:ste:1	oval:ssg-state_file_permissions_cron_allow_0_mode_0640or_stricter_:ste:1

Enable cron Service

Rule ID xccdf_org.ssgproject.content_rule_service_cron_enabled

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(a), PR.IP-1, PR.PT-3, 5.1.1

Description

The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The cron service can be enabled with the following command:

$ sudo systemctl enable cron.service

Rationale

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

OVAL details

package cron is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
cron	amd64	0	137ubuntu3	3.0pl1	0:3.0pl1-137ubuntu3

Test that the cron service is running passed because of these items:

Unit	Property	Value
cron.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

Verify Group Who Owns cron.d

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_d

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7, 2.2.6

Description

To properly set the group owner of /etc/cron.d, run the command:

$ sudo chgrp root /etc/cron.d

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL details

Testing group ownership of /etc/cron.d/ passed because these items were not found:

Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.d	no value	oval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1

Verify Group Who Owns cron.daily

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4, 2.2.6

Description

To properly set the group owner of /etc/cron.daily, run the command:

$ sudo chgrp root /etc/cron.daily

Rationale

OVAL details

Testing group ownership of /etc/cron.daily/ passed because these items were not found:

Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.daily	no value	oval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1

Verify Group Who Owns cron.hourly

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3, 2.2.6

Description

To properly set the group owner of /etc/cron.hourly, run the command:

$ sudo chgrp root /etc/cron.hourly

Rationale

OVAL details

Testing group ownership of /etc/cron.hourly/ passed because these items were not found:

Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.hourly	no value	oval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1

Verify Group Who Owns cron.monthly

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6, 2.2.6

Description

To properly set the group owner of /etc/cron.monthly, run the command:

$ sudo chgrp root /etc/cron.monthly

Rationale

OVAL details

Testing group ownership of /etc/cron.monthly/ passed because these items were not found:

Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.monthly	no value	oval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1

Verify Group Who Owns cron.weekly

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5, 2.2.6

Description

To properly set the group owner of /etc/cron.weekly, run the command:

$ sudo chgrp root /etc/cron.weekly

Rationale

OVAL details

Testing group ownership of /etc/cron.weekly/ passed because these items were not found:

Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.weekly	no value	oval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1

Verify Group Who Owns Crontab

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_crontab

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2, 2.2.6

Description

To properly set the group owner of /etc/crontab, run the command:

$ sudo chgrp root /etc/crontab

Rationale

OVAL details

Testing group ownership of /etc/crontab passed because these items were not found:

Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/crontab	oval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1	oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1

Verify Owner on cron.d

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_d

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7, 2.2.6

Description

To properly set the owner of /etc/cron.d, run the command:

$ sudo chown root /etc/cron.d

Rationale

OVAL details

Testing user ownership of /etc/cron.d/ passed because these items were not found:

Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.d	no value	oval:ssg-symlink_file_owner_cron_d_uid_0:ste:1	oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1

Verify Owner on cron.daily

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_daily

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4, 2.2.6

Description

To properly set the owner of /etc/cron.daily, run the command:

$ sudo chown root /etc/cron.daily

Rationale

OVAL details

Testing user ownership of /etc/cron.daily/ passed because these items were not found:

Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.daily	no value	oval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1	oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1

Verify Owner on cron.hourly

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_hourly

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3, 2.2.6

Description

To properly set the owner of /etc/cron.hourly, run the command:

$ sudo chown root /etc/cron.hourly

Rationale

OVAL details

Testing user ownership of /etc/cron.hourly/ passed because these items were not found:

Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.hourly	no value	oval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1	oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1

Verify Owner on cron.monthly

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_monthly

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6, 2.2.6

Description

To properly set the owner of /etc/cron.monthly, run the command:

$ sudo chown root /etc/cron.monthly

Rationale

OVAL details

Testing user ownership of /etc/cron.monthly/ passed because these items were not found:

Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.monthly	no value	oval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1	oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1

Verify Owner on cron.weekly

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_weekly

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5, 2.2.6

Description

To properly set the owner of /etc/cron.weekly, run the command:

$ sudo chown root /etc/cron.weekly

Rationale

OVAL details

Testing user ownership of /etc/cron.weekly/ passed because these items were not found:

Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.weekly	no value	oval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1	oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1

Verify Owner on crontab

Rule ID xccdf_org.ssgproject.content_rule_file_owner_crontab

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2, 2.2.6

Description

To properly set the owner of /etc/crontab, run the command:

$ sudo chown root /etc/crontab

Rationale

OVAL details

Testing user ownership of /etc/crontab passed because these items were not found:

Object oval:ssg-object_file_owner_crontab_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/crontab	oval:ssg-symlink_file_owner_crontab_uid_0:ste:1	oval:ssg-state_file_owner_crontab_uid_0_0:ste:1

Verify Permissions on cron.d

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_d

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7, 2.2.6

Description

To properly set the permissions of /etc/cron.d, run the command:

$ sudo chmod 0700 /etc/cron.d

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

OVAL details

Testing mode of /etc/cron.d/ failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.d/	directory	0	0	4096	`rwxr-xr-x`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Find /etc/cron.d/ file(s)
  command: 'find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt  -type d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_d
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /etc/cron.d/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-xwrs,o-xwrt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_d
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on cron.daily

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_daily

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4, 2.2.6

Description

To properly set the permissions of /etc/cron.daily, run the command:

$ sudo chmod 0700 /etc/cron.daily

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

OVAL details

Testing mode of /etc/cron.daily/ failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.daily/	directory	0	0	4096	`rwxr-xr-x`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Find /etc/cron.daily/ file(s)
  command: 'find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt  -type d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_daily
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /etc/cron.daily/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-xwrs,o-xwrt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_daily
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on cron.hourly

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3, 2.2.6

Description

To properly set the permissions of /etc/cron.hourly, run the command:

$ sudo chmod 0700 /etc/cron.hourly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

OVAL details

Testing mode of /etc/cron.hourly/ failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.hourly/	directory	0	0	4096	`rwxr-xr-x`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Find /etc/cron.hourly/ file(s)
  command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt  -type
    d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_hourly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /etc/cron.hourly/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-xwrs,o-xwrt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_hourly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on cron.monthly

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6, 2.2.6

Description

To properly set the permissions of /etc/cron.monthly, run the command:

$ sudo chmod 0700 /etc/cron.monthly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

OVAL details

Testing mode of /etc/cron.monthly/ failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.monthly/	directory	0	0	4096	`rwxr-xr-x`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Find /etc/cron.monthly/ file(s)
  command: 'find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt  -type
    d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_monthly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /etc/cron.monthly/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-xwrs,o-xwrt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_monthly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on cron.weekly

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5, 2.2.6

Description

To properly set the permissions of /etc/cron.weekly, run the command:

$ sudo chmod 0700 /etc/cron.weekly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

OVAL details

Testing mode of /etc/cron.weekly/ failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.weekly/	directory	0	0	4096	`rwxr-xr-x`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Find /etc/cron.weekly/ file(s)
  command: 'find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt  -type
    d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_weekly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /etc/cron.weekly/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-xwrs,o-xwrt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_cron_weekly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on crontab

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_crontab

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2, 2.2.6

Description

To properly set the permissions of /etc/crontab, run the command:

$ sudo chmod 0600 /etc/crontab

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

OVAL details

Testing mode of /etc/crontab failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crontab	regular	0	0	1136	`rw-r--r--`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Test for existence /etc/crontab
  stat:
    path: /etc/crontab
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_crontab
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/crontab
  file:
    path: /etc/crontab
    mode: u-xs,g-xwrs,o-xwrt
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_crontab
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

chmod u-xs,g-xwrs,o-xwrt /etc/crontab

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Uninstall the nis package

Rule ID

xccdf_org.ssgproject.content_rule_package_nis_removed

Result

pass

Time

2025-05-13T15:26:36

Severity

low

Identifiers and References

References: 2.2.14

Description

The support for Yellowpages should not be installed unless it is required.

Rationale

NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used.

OVAL details

package nis is removed passed because these items were not found:

Object oval:ssg-obj_test_package_nis_removed:obj:1 of type dpkginfo_object

Name
nis

Uninstall DHCP Server Package

Rule ID xccdf_org.ssgproject.content_rule_package_dhcp_removed

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The isc-dhcp-server package can be removed with the following command:

$ apt-get remove isc-dhcp-server

Rationale

Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.

OVAL details

package isc-dhcp-server is removed passed because these items were not found:

Object oval:ssg-obj_test_package_isc-dhcp-server_removed:obj:1 of type dpkginfo_object

Name
isc-dhcp-server

Uninstall bind Package

Rule ID xccdf_org.ssgproject.content_rule_package_bind_removed

Result

pass

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

Description

The named service is provided by the bind package. The bind package can be removed with the following command:

$ apt-get remove bind

Rationale

If there is no need to make DNS server software available, removing it provides a safeguard against its activation.

OVAL details

package bind9 is removed passed because these items were not found:

Object oval:ssg-obj_test_package_bind9_removed:obj:1 of type dpkginfo_object

Name
bind9

Uninstall vsftpd Package

Rule ID xccdf_org.ssgproject.content_rule_package_vsftpd_removed

Result

pass

Time 2025-05-13T15:26:36

Severity high

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, 2.2.8

Description

The vsftpd package can be removed with the following command:

 $ apt-get remove vsftpd

Rationale

Removing the vsftpd package decreases the risk of its accidental activation.

OVAL details

package vsftpd is removed passed because these items were not found:

Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type dpkginfo_object

Name
vsftpd

Uninstall httpd Package

Rule ID xccdf_org.ssgproject.content_rule_package_httpd_removed

Result

fail

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.9

Description

The apache2 package can be removed with the following command:

$ apt-get remove apache2

Rationale

If there is no need to make the web server software available, removing it provides a safeguard against its activation.

OVAL details

package apache2 is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
apache2	amd64	0	1ubuntu4.14	2.4.52	0:2.4.52-1ubuntu4.14

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure apache2 is removed
  package:
    name: apache2
    state: absent
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - package_httpd_removed
  - unknown_severity

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_apache2

class remove_apache2 {
  package { 'apache2':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove apache2
#	   from the system, and may remove any packages
#	   that depend on apache2. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "apache2"

Uninstall nginx Package

Rule ID xccdf_org.ssgproject.content_rule_package_nginx_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.9

Description

The nginx package can be removed with the following command:

$ apt-get remove nginx

Rationale

If there is no need to make the web server software available, removing it provides a safeguard against its activation.

OVAL details

package nginx is removed passed because these items were not found:

Object oval:ssg-obj_test_package_nginx_removed:obj:1 of type dpkginfo_object

Name
nginx

Uninstall cyrus-imapd Package

Rule ID xccdf_org.ssgproject.content_rule_package_cyrus-imapd_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 2.2.10

Description

The cyrus-imapd package can be removed with the following command:

$ apt-get remove cyrus-imapd

Rationale

If there is no need to make the cyrus-imapd software available, removing it provides a safeguard against its activation.

OVAL details

package cyrus-imapd is removed passed because these items were not found:

Object oval:ssg-obj_test_package_cyrus-imapd_removed:obj:1 of type dpkginfo_object

Name
cyrus-imapd

Uninstall dovecot Package

Rule ID xccdf_org.ssgproject.content_rule_package_dovecot_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 2.2.10

Description

The dovecot-core package can be removed with the following command:

$ apt-get remove dovecot-core

Rationale

If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.

OVAL details

package dovecot-core is removed passed because these items were not found:

Object oval:ssg-obj_test_package_dovecot-core_removed:obj:1 of type dpkginfo_object

Name
dovecot-core

Ensure LDAP client is not installed

Rule ID xccdf_org.ssgproject.content_rule_package_openldap-clients_removed

Result

fail

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

References: 2.3.5

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The lapd-utils package can be removed with the following command:

$ apt-get remove lapd-utils

Rationale

If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.

OVAL details

package ldap-utils is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
ldap-utils	amd64	0	0ubuntu0.22.04.3	2.5.18+dfsg	0:2.5.18+dfsg-0ubuntu0.22.04.3

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure ldap-utils is removed
  package:
    name: ldap-utils
    state: absent
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - package_openldap-clients_removed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_ldap-utils

class remove_ldap-utils {
  package { 'ldap-utils':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove ldap-utils
#	   from the system, and may remove any packages
#	   that depend on ldap-utils. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "ldap-utils"

Uninstall openldap-servers Package

Rule ID

xccdf_org.ssgproject.content_rule_package_openldap-servers_removed

Result

pass

Time

2025-05-13T15:26:36

Severity

low

Identifiers and References

Description

The slapd package is not installed by default on a Ubuntu 22.04 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

Rationale

Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.

OVAL details

package slapd is removed passed because these items were not found:

Object oval:ssg-obj_test_package_slapd_removed:obj:1 of type dpkginfo_object

Name
slapd

Disable Postfix Network Listening

Rule ID	xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.15, R74, 1.4.2
Description	Edit the file `/etc/postfix/main.cf` to ensure that only the following `inet_interfaces` line appears: inet_interfaces = loopback-only
Rationale	This ensures `postfix` accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

Ensure Mail Transfer Agent is not Listening on any non-loopback Address

Rule ID

xccdf_org.ssgproject.content_rule_has_nonlocal_mta

Result

pass

Time

2025-05-13T15:26:36

Severity

medium

Identifiers and References

References: 2.2.15

Description

Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.

Rationale

The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems.

OVAL details

mta is not listening on any non-loopback address passed because these items were not found:

Object oval:ssg-obj_listening_port_25:obj:1 of type inetlisteningservers_object

Protocol	Local address	Local port	Filter	Filter
tcp	127.0.0.1	25	oval:ssg-ste_not_port_25:ste:1	oval:ssg-ste_not_on_localhost:ste:1

Uninstall rpcbind Package

Rule ID xccdf_org.ssgproject.content_rule_package_rpcbind_removed

Result

pass

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

References: 2.3.6

Description

The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The rpcbind package can be removed with the following command:

$ apt-get remove rpcbind

Rationale

If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface.

OVAL details

package rpcbind is removed passed because these items were not found:

Object oval:ssg-obj_test_package_rpcbind_removed:obj:1 of type dpkginfo_object

Name
rpcbind

Uninstall nfs-kernel-server Package

Rule ID xccdf_org.ssgproject.content_rule_package_nfs-kernel-server_removed

Result

pass

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

References: 2.2.6

Description

The nfs-kernel-server package can be removed with the following command:

$ apt-get remove nfs-kernel-server

Rationale

If the system does not export NFS shares or act as an NFS client, it is recommended that these services be removed to reduce the remote attack surface.

OVAL details

package nfs-kernel-server is removed passed because these items were not found:

Object oval:ssg-obj_test_package_nfs-kernel-server_removed:obj:1 of type dpkginfo_object

Name
nfs-kernel-server

Install the systemd_timesyncd Service

Rule ID

xccdf_org.ssgproject.content_rule_package_timesyncd_installed

Result

pass

Time

2025-05-13T15:26:36

Severity

high

Identifiers and References

References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000160, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.4, 2.1.1.1

Description

The systemd_timesyncd service should be installed.

Rationale

Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). systemd_timesyncd is a part of the systemd suite and acts as a NTP client.

OVAL details

package systemd-timesyncd is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
systemd-timesyncd	amd64	0	0ubuntu3.15	249.11	0:249.11-0ubuntu3.15

The Chronyd service is enabled

Rule ID	xccdf_org.ssgproject.content_rule_service_chronyd_enabled
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 0988, 1405, SRG-OS-000355-GPOS-00143, 2.1.2.3
Description	chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To enable Chronyd service, you can run: `# systemctl enable chronyd.service` This recommendation only applies if chrony is in use on the system.
Rationale	If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Enable the NTP Daemon

Rule ID	xccdf_org.ssgproject.content_rule_service_ntp_enabled
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	high
Identifiers and References	References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000160, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(a), PR.PT-1, Req-10.4, 2.1.4.4, 10.6.1
Description	The `ntp` service can be enabled with the following command: $ sudo systemctl enable ntp.service
Rationale	Enabling the `ntp` service ensures that the `ntp` service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of `ntpdate`, which is now deprecated.

Enable systemd_timesyncd Service

Rule ID xccdf_org.ssgproject.content_rule_service_timesyncd_enabled

Result

pass

Time 2025-05-13T15:26:36

Severity high

Identifiers and References

Description

The systemd_timesyncd service can be enabled with the following command:

$ sudo systemctl enable systemd_timesyncd.service

Rationale

Enabling the systemd_timesyncd service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en.

OVAL details

package systemd is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr
systemd	amd64	0	0ubuntu3.15	249.11	0:249.11-0ubuntu3.15

Test that the systemd-timesyncd service is running passed because of these items:

Unit	Property	Value
systemd-timesyncd.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	setvtrgb.service	local-fs.target	boot-efi.mount	systemd-remount-fs.service	systemd-fsck-root.service	systemd-udevd.service	systemd-binfmt.service	apparmor.service	sys-kernel-debug.mount	plymouth-start.service	systemd-sysctl.service	kmod-static-nodes.service	systemd-ask-password-console.path	systemd-random-seed.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	systemd-timesyncd.service	systemd-modules-load.service	keyboard-setup.service	systemd-tmpfiles-setup.service	veritysetup.target	systemd-update-utmp.service	systemd-udev-trigger.service	plymouth-read-write.service	dev-mqueue.mount	systemd-journald.service	cryptsetup.target	systemd-journal-flush.service	swap.target	swapfile.swap	sys-kernel-tracing.mount	systemd-sysusers.service	systemd-pstore.service	dev-hugepages.mount	proc-sys-fs-binfmt_misc.automount	systemd-boot-system-token.service	sys-kernel-config.mount	systemd-machine-id-commit.service	paths.target	apport-autoreport.path	acpid.path	tmp.mount	slices.target	system.slice	-.slice	timers.target	apt-daily.timer	systemd-tmpfiles-clean.timer	fstrim.timer	ua-timer.timer	anacron.timer	man-db.timer	update-notifier-download.timer	e2scrub_all.timer	fwupd-refresh.timer	dpkg-db-backup.timer	snapd.snap-repair.timer	logrotate.timer	apt-daily-upgrade.timer	motd-news.timer	phpsessionclean.timer	apport-autoreport.timer	update-notifier-motd.timer	sockets.target	systemd-udevd-control.socket	systemd-journald-dev-log.socket	acpid.socket	cups.socket	avahi-daemon.socket	systemd-udevd-kernel.socket	systemd-journald-audit.socket	systemd-initctl.socket	apport-forward.socket	snapd.socket	docker.socket	dbus.socket	uuidd.socket	systemd-journald.socket	containerd.service	snap-maxautoclicker-1.mount	snap-gnome\x2d42\x2d2204-176.mount	cups.service	snap-crackmapexec-275.mount	snap-ffmpeg\x2d2404-59.mount	snap-gimp-517.mount	snap-ffmpeg\x2d2404-55.mount	cups-browsed.service	wpa_supplicant.service	grub-initrd-fallback.service	snap-metasploit\x2dframework-1970.mount	teamviewerd.service	ssh.service	snapd.seeded.service	snap-core20-2571.mount	snap-core22-1908.mount	tor.service	plymouth-quit.service	systemd-ask-password-wall.path	snap-core-17200.mount	snap-core18-2846.mount	snap-snapd\x2ddesktop\x2dintegration-83.mount	var-snap-firefox-common-host\x2dhunspell.mount	snap-wine\x2dplatform\x2d5\x2dstable-18.mount	getty.target	getty-static.service	getty@tty1.service	unattended-upgrades.service	snap-core20-2501.mount	snap-firefox-6073.mount	docker.service	forticlient.service	systemd-resolved.service	ua-reboot-cmds.service	snap-gnome\x2d46\x2d2404-77.mount	snap-gtk\x2dcommon\x2dthemes-1535.mount	snap-core18-2855.mount	vboxautostart-service.service	ubuntu-advantage.service	apache2.service	secureboot-db.service	snap-dalfox-313.mount	grub-common.service	snap-core24-739.mount	snapd.core-fixup.service	snap-snapd\x2ddesktop\x2dintegration-253.mount	snap-quick\x2dblackjack-1.mount	snap-discord-239.mount	ufw.service	snap-gnome\x2d3\x2d28\x2d1804-198.mount	snap-telegram\x2ddesktop-6597.mount	avahi-daemon.service	networkd-dispatcher.service	binfmt-support.service	snap-telegram\x2ddesktop-6593.mount	snap-core-17210.mount	snap-snapd-24505.mount	vboxweb-service.service	snapd.apparmor.service	thermald.service	snapd.aa-prompt-listener.service	snap-seclists-900.mount	vboxballoonctrl-service.service	irqbalance.service	snap-enum4linux-66.mount	snap-discord-238.mount	snap-gtk2\x2dcommon\x2dthemes-13.mount	snap-wine\x2dplatform\x2druntime-397.mount	snap-gnome\x2d46\x2d2404-90.mount	remote-fs.target	e2scrub_reap.service	ModemManager.service	snap-mesa\x2d2404-495.mount	snap-gimp-515.mount	vboxdrv.service	snap-walc-19.mount	snap-gnome\x2d3\x2d38\x2d2004-143.mount	dmesg.service	snap-core22-1963.mount	systemd-oomd.service	hostapd.service	snap-snapd-23771.mount	snap-netflix\x2dweb-1.mount	snap-snap\x2dstore-959.mount	systemd-logind.service	NetworkManager.service	kerneloops.service	systemd-update-utmp-runlevel.service	snapd.service	snap-metasploit\x2dframework-2025.mount	snap-firefox-6103.mount	systemd-user-sessions.service	anacron.service	snapd.autoimport.service	snapd.recovery-chooser-trigger.service	apport.service	cups.path	plymouth-quit-wait.service	console-setup.service	dbus.service	snap-bare-5.mount	cron.service	rsyslog.service	snap-snap\x2dstore-1216.mount	openvpn.service	virtualbox.service	snap-gnome\x2d42\x2d2204-202.mount	ubuntu-fan.service	snap-core24-888.mount

Ensure that chronyd is running under chrony user account

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 2.1.2.2, 10.6.3
Description	chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, `user` variable in `/etc/chrony/chrony.conf` is set to `_chrony` or is absent: user _chrony This recommendation only applies if chrony is in use on the system.
Rationale	If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Configure server restrictions for ntpd

Rule ID	xccdf_org.ssgproject.content_rule_ntpd_configure_restrictions
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 2.1.4.1
Description	ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. To ensure that ntpd implements correct server restrictions, make sure that the following lines exist in the file `/etc/ntpd.conf`: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery This recommendation only applies if ntp is in use on the system.
Rationale	If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Configure ntpd To Run As ntp User

Rule ID	xccdf_org.ssgproject.content_rule_ntpd_run_as_ntp_user
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 2.1.4.3
Description	ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. To ensure that ntpd is running as ntp user, Add or edit the `OPTIONS` variable in `/etc/sysconfig/ntpd` to include ' -u ntp:ntp ': OPTIONS="-u ntp:ntp" This recommendation only applies if ntp is in use on the system.
Rationale	If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly. Running ntpd under dedicated user accounts limits the attack surface for potential attacker exploiting security flaws in the daemon or the protocol.

Uninstall rsh Package

Rule ID xccdf_org.ssgproject.content_rule_package_rsh_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.2, R62, 2.2.4

Description

The rsh-client package contains the client commands for the rsh services

Rationale

These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh-client package removes the clients for rsh,rcp, and rlogin.

OVAL details

package rsh-client is removed passed because these items were not found:

Object oval:ssg-obj_test_package_rsh-client_removed:obj:1 of type dpkginfo_object

Name
rsh-client

Remove Rsh Trust Files

Rule ID	xccdf_org.ssgproject.content_rule_no_rsh_trust_files
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	high
Identifiers and References	References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 6.2.16
Description	The files `/etc/hosts.equiv` and `~/.rhosts` (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts
Rationale	This action is only meaningful if `.rhosts` support is permitted through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

Uninstall talk Package

Rule ID xccdf_org.ssgproject.content_rule_package_talk_removed

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.3.3, R62, 2.2.4

Description

The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command:

$ apt-get remove talk

Rationale

The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program.

OVAL details

package talk is removed passed because these items were not found:

Object oval:ssg-obj_test_package_talk_removed:obj:1 of type dpkginfo_object

Name
talk

Remove telnet Clients

Rule ID xccdf_org.ssgproject.content_rule_package_telnet_removed

Result

fail

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

References: 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.4, R62, 2.2.4

Description

The telnet client allows users to start connections to other systems via the telnet protocol.

Rationale

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Ubuntu 22.04.

OVAL details

package telnet is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
telnet	amd64	0	44build1	0.17	0:0.17-44build1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure telnet is removed
  package:
    name: telnet
    state: absent
  tags:
  - NIST-800-171-3.1.13
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - package_telnet_removed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_telnet

class remove_telnet {
  package { 'telnet':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove telnet
#	   from the system, and may remove any packages
#	   that depend on telnet. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "telnet"

Uninstall rsync Package

Rule ID xccdf_org.ssgproject.content_rule_package_rsync_removed

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 2.2.16

Description

The rsyncd service can be used to synchronize files between systems over network links. The rsync package can be removed with the following command:

$ apt-get remove rsync

Rationale

The rsyncd service presents a security risk as it uses unencrypted protocols for communication.

OVAL details

package rsync is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
rsync	amd64	0	0ubuntu0.22.04.4	3.2.7	0:3.2.7-0ubuntu0.22.04.4

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure rsync is removed
  package:
    name: rsync
    state: absent
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_rsync_removed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_rsync

class remove_rsync {
  package { 'rsync':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove rsync
#	   from the system, and may remove any packages
#	   that depend on rsync. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "rsync"

Uninstall CUPS Package

Rule ID xccdf_org.ssgproject.content_rule_package_cups_removed

Result

fail

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

Description

The cups package can be removed with the following command:

$ apt-get remove cups

Rationale

If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface.

OVAL details

package cups is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
cups	amd64	0	1ubuntu4.11	2.4.1op1	0:2.4.1op1-1ubuntu4.11

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure cups is removed
  package:
    name: cups
    state: absent
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - package_cups_removed
  - unknown_severity

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_cups

class remove_cups {
  package { 'cups':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove cups
#	   from the system, and may remove any packages
#	   that depend on cups. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "cups"

Disable the CUPS Service

Rule ID xccdf_org.ssgproject.content_rule_service_cups_disabled

Result

fail

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

Description

The cups service can be disabled with the following command:

$ sudo systemctl mask --now cups.service

Rationale

Turn off unneeded services to reduce attack surface.

OVAL details

package cups is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
cups	amd64	0	1ubuntu4.11	2.4.1op1	0:2.4.1op1-1ubuntu4.11

Test that the cups service is not running failed because of these items:

Unit	Property	Value
cups.service	ActiveState	active
cups.socket	ActiveState	active

Test that the property LoadState from the service cups is masked failed because of these items:

Unit	Property	Value
cups.socket	LoadState	loaded
cups.service	LoadState	loaded

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Disable the CUPS Service - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_cups_disabled
  - unknown_severity

- name: Disable the CUPS Service - Ensure "cups.service" is Masked
  ansible.builtin.systemd:
    name: cups.service
    state: stopped
    enabled: false
    masked: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - service_exists.stdout_lines is search("cups.service",multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_cups_disabled
  - unknown_severity

- name: Unit Socket Exists - cups.socket
  ansible.builtin.command: systemctl -q list-unit-files cups.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_cups_disabled
  - unknown_severity

- name: Disable socket cups
  ansible.builtin.systemd:
    name: cups.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("cups.socket",multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_cups_disabled
  - unknown_severity

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include disable_cups

class disable_cups {
  service {'cups':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'cups.service'
"$SYSTEMCTL_EXEC" disable 'cups.service'
"$SYSTEMCTL_EXEC" mask 'cups.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files cups.socket; then
    "$SYSTEMCTL_EXEC" stop 'cups.socket'
    "$SYSTEMCTL_EXEC" mask 'cups.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'cups.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation script: (show)

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: cups.service
        enabled: false
        mask: true
      - name: cups.socket
        enabled: false
        mask: true

Remediation script: (show)


[customizations.services]
masked = ["cups"]

Uninstall squid Package

Rule ID xccdf_org.ssgproject.content_rule_package_squid_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 2.2.12

Description

The squid package can be removed with the following command:

 $ apt-get remove squid

Rationale

If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.

OVAL details

package squid is removed passed because these items were not found:

Object oval:ssg-obj_test_package_squid_removed:obj:1 of type dpkginfo_object

Name
squid

Uninstall Samba Package

Rule ID xccdf_org.ssgproject.content_rule_package_samba_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 2.2.11

Description

The samba package can be removed with the following command:

 $ apt-get remove samba

Rationale

If there is no need to make the Samba software available, removing it provides a safeguard against its activation.

OVAL details

package samba is removed passed because these items were not found:

Object oval:ssg-obj_test_package_samba_removed:obj:1 of type dpkginfo_object

Name
samba

Uninstall net-snmp Package

Rule ID xccdf_org.ssgproject.content_rule_package_net-snmp_removed

Result

pass

Time 2025-05-13T15:26:36

Severity unknown

Identifiers and References

References: 2.2.13, 2.2.4

Description

The snmp package provides the snmpd service. The snmp package can be removed with the following command:

$ apt-get remove snmp

Rationale

If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.

OVAL details

package snmp is removed passed because these items were not found:

Object oval:ssg-obj_test_package_snmp_removed:obj:1 of type dpkginfo_object

Name
snmp

Set SSH Client Alive Count Max

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_keepalive

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, UBTU-22-255030, 5.2.22, 8.2.8

Description

The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.

Rationale

This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.

OVAL details

Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_set_keepalive_clientalivecountmax:ste:1 of type textfilecontent54_state

Subexpression
3

Check the value of ClientAliveCountMax setting in /etc/ssh/sshd_config.d/ files failed because these items were missing:

Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_set_keepalive_clientalivecountmax:ste:1 of type textfilecontent54_state

Subexpression
3

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sshd_set_keepalive # promote to variable
  set_fact:
    var_sshd_set_keepalive: !!str 3
  tags:
    - always

- name: Set SSH Client Alive Count Max
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*ClientAliveCountMax\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*ClientAliveCountMax\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*ClientAliveCountMax\s+
      line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - DISA-STIG-UBTU-22-255030
  - NIST-800-171-3.1.11
  - NIST-800-53-AC-12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-2(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-10
  - PCI-DSS-Req-8.1.8
  - PCI-DSSv4-8.2.8
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_keepalive

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_set_keepalive='3'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set SSH Client Alive Interval

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, UBTU-22-255035, 5.2.22, 8.2.8

Description

SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out.

To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval 300

The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

Warnings

warning SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.

warning Following conditions may prevent the SSH session to time out:

Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
Any scp or sftp activity by the same user to the host resets the timeout.

OVAL details

timeout is configured failed because these items were missing:

Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)ClientAliveInterval[\s]+(\d+)[\s](?:#.*)?$	1

State oval:ssg-state_timeout_value_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
300

timeout is configured in config directory failed because these items were missing:

Object oval:ssg-object_sshd_idle_timeout_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[\s](?i)ClientAliveInterval[\s]+(\d+)[\s](?:#.*)?$	1

State oval:ssg-state_timeout_value_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
300

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

sshd_idle_timeout_value='300'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Host-Based Authentication

Rule ID xccdf_org.ssgproject.content_rule_disable_host_auth

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00229, 5.2.8, 8.3.1

Description

SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

HostbasedAuthentication no

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_disable_host_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_disable_host_auth:ste:1 of type textfilecontent54_state

Subexpression
^no$

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_disable_host_auth_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_disable_host_auth_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^no$

Verify that the value of HostbasedAuthentication is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_disable_host_auth:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_disable_host_auth:obj:1 oval:ssg-obj_disable_host_auth_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable Host-Based Authentication
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
      line: HostbasedAuthentication no
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-8.3.1
  - disable_host_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable SSH Access via Empty Passwords

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords

Result

fail

Time 2025-05-13T15:26:36

Severity high

Identifiers and References

References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, UBTU-22-255025, 5.2.9, 2.2.6

Description

Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_disable_empty_passwords:ste:1 of type textfilecontent54_state

Subexpression
^no$

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_disable_empty_passwords_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^no$

Verify that the value of PermitEmptyPasswords is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_sshd_disable_empty_passwords:obj:1 oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable SSH Access via Empty Passwords
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
      line: PermitEmptyPasswords no
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - DISA-STIG-UBTU-22-255025
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.4
  - PCI-DSSv4-2.2.6
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_empty_passwords

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable SSH Support for .rhosts Files

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_rhosts

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00227, 5.2.11, 2.2.6

Description

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

IgnoreRhosts yes

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_disable_rhosts:ste:1 of type textfilecontent54_state

Subexpression
^yes$

tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_disable_rhosts_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^yes$

Verify that the value of IgnoreRhosts is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_sshd_disable_rhosts:obj:1 oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable SSH Support for .rhosts Files
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
      line: IgnoreRhosts yes
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_rhosts

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable SSH Root Login

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_root_login

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, 5.2.7, R33, 2.2.6

Description

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

PermitRootLogin no

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

OVAL details

tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_disable_root_login:ste:1 of type textfilecontent54_state

Subexpression
^no$

tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_sshd_disable_root_login_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_disable_root_login_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^no$

Verify that the value of PermitRootLogin is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_sshd_disable_root_login:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_sshd_disable_root_login:obj:1 oval:ssg-obj_sshd_disable_root_login_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable SSH Root Login
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
      create: true
      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
      line: PermitRootLogin no
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-6(2)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - NIST-800-53-IA-2(5)
  - PCI-DSS-Req-2.2.4
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_root_login

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf

LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"

cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Do Not Allow SSH Environment Options

Rule ID xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, SRG-OS-000480-GPOS-00229, UBTU-22-255025, 5.2.10, 2.2.6

Description

Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

PermitUserEnvironment no

Rationale

SSH environment options potentially allow users to bypass access restriction in some configurations.

OVAL details

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_do_not_permit_user_env:ste:1 of type textfilecontent54_state

Subexpression
^no$

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_do_not_permit_user_env_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^no$

Verify that the value of PermitUserEnvironment is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_sshd_do_not_permit_user_env:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Do Not Allow SSH Environment Options
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
      line: PermitUserEnvironment no
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - DISA-STIG-UBTU-22-255025
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.4
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_do_not_permit_user_env

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable PAM

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_pam

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: CCI-000877, SRG-OS-000125-GPOS-00065, UBTU-22-255065, 5.2.6, 2.2.6

Description

UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. To enable PAM authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

UsePAM yes

Rationale

When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.

OVAL details

tests the value of UsePAM setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	UsePAM yes

tests the value of UsePAM setting in the /etc/ssh/sshd_config.d file passed because these items were not found:

Object oval:ssg-obj_sshd_enable_pam_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)UsePAM(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_enable_pam_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^yes$

Verify that the value of UsePAM is present passed because of these items:

Path	Content
/etc/ssh/sshd_config	UsePAM yes

Enable SSH Warning Banner

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, UBTU-22-255020, 5.2.17

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:

Banner /etc/issue.net

Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

OVAL details

tests the value of Banner setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_enable_warning_banner_net:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)Banner(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_enable_warning_banner_net:ste:1 of type textfilecontent54_state

Subexpression
^/etc/issue.net$

tests the value of Banner setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_sshd_enable_warning_banner_net_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)Banner(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_enable_warning_banner_net_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^/etc/issue.net$

Verify that the value of Banner is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_sshd_enable_warning_banner_net:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_sshd_enable_warning_banner_net:obj:1 oval:ssg-obj_sshd_enable_warning_banner_net_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Enable SSH Warning Banner
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
      create: true
      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
      line: Banner /etc/issue.net
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - DISA-STIG-UBTU-22-255020
  - NIST-800-171-3.1.9
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-8(a)
  - NIST-800-53-AC-8(c)
  - NIST-800-53-CM-6(a)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_enable_warning_banner_net

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf

LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"

cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Limit Users' SSH Access

Rule ID

xccdf_org.ssgproject.content_rule_sshd_limit_user_access

Result

fail

Time

2025-05-13T15:26:36

Severity

unknown

Identifiers and References

References: 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, Req-2.2.4, 5.2.4, 2.2.6

Description

By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically allowing a user's access only from a particular host, the entry can be specified in the form of user@host. - AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.

Rationale

Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system.

Warnings

warning Automated remediation is not available for this configuration check because each system has unique user names and group names.

OVAL details

Check if there is an AllowUsers entry failed because these items were missing:

Object oval:ssg-obj_allow_user:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\/etc\/ssh\/sshd_config.*$	(?i)^[ ]AllowUsers[ ]+((?:[^ \n]+[ ])+)$	1

Check if there is an AllowGroups entry failed because these items were missing:

Object oval:ssg-obj_allow_group:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/ssh/sshd_config.*$	(?i)^[ ]AllowGroups[ ]+((?:[^ \n]+[ ])+)$	1

Check if there is a DenyUsers entry failed because these items were missing:

Object oval:ssg-obj_deny_user:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/ssh/sshd_config.*$	(?i)^[ ]DenyUsers[ ]+((?:[^ \n]+[ ])+)$	1

Check if there is a DenyGroups entry failed because these items were missing:

Object oval:ssg-obj_deny_group:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/ssh/sshd_config.*$	(?i)^[ ]DenyGroups[ ]+((?:[^ \n]+[ ])+)$	1

Ensure SSH LoginGraceTime is configured

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.2.21, 2.2.6

Description

The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate limits to ensure the service is available for needed access.

Rationale

Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections.

OVAL details

LoginGraceTime is configured failed because these items were missing:

Object oval:ssg-object_sshd_login_grace_time:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)LoginGraceTime[\s]+(\d+)[\s](?:#.*)?$	1

State oval:ssg-state_logingracetime_value_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
60

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sshd_set_login_grace_time # promote to variable
  set_fact:
    var_sshd_set_login_grace_time: !!str 60
  tags:
    - always

- name: Ensure SSH LoginGraceTime is configured
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*LoginGraceTime\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*LoginGraceTime\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*LoginGraceTime\s+
      line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_login_grace_time

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_set_login_grace_time='60'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set LogLevel to INFO

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info

Result

fail

Time 2025-05-13T15:26:36

Severity low

Identifiers and References

References: AC-17(a), CM-6(a), 5.2.5

Description

The INFO parameter specifices that record login and logout activity will be logged.
The default SSH configuration sets the log level to INFO. The appropriate configuration is used if no value is set for LogLevel.
To explicitly specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

LogLevel INFO

Rationale

SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

OVAL details

tests the value of LogLevel setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_set_loglevel_info:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)LogLevel(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_set_loglevel_info:ste:1 of type textfilecontent54_state

Subexpression
^INFO$

tests the value of LogLevel setting in the /etc/ssh/sshd_config.d file failed because these items were missing:

Object oval:ssg-obj_sshd_set_loglevel_info_config_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/ssh/sshd_config.d	.*\.conf$	^[ \t](?i)LogLevel(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_set_loglevel_info_config_dir:ste:1 of type textfilecontent54_state

Subexpression
^INFO$

Verify that the value of LogLevel is present failed because these items were missing:

Object oval:ssg-obj_collection_obj_sshd_set_loglevel_info:obj:1 of type textfilecontent54_object

Set
oval:ssg-obj_sshd_set_loglevel_info:obj:1 oval:ssg-obj_sshd_set_loglevel_info_config_dir:obj:1

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Set LogLevel to INFO
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
      line: LogLevel INFO
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_loglevel_info

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set SSH authentication attempt limit

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 5.2.18, 2.2.6

Description

The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows:

MaxAuthTries 4

Rationale

Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server.

OVAL details

maxauthtries is configured failed because these items were missing:

Object oval:ssg-object_sshd_max_auth_tries:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)MaxAuthTries[\s]+(\d+)[\s](?:#.*)?$	1

State oval:ssg-state_maxauthtries_value_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
4

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

sshd_max_auth_tries_value='4'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set SSH MaxSessions limit

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_max_sessions

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.2.20, 2.2.6

Description

The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit /etc/ssh/sshd_config as follows:

MaxSessions 10

Rationale

To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon.

OVAL details

maxsessions is configured failed because these items were missing:

Object oval:ssg-object_sshd_max_sessions:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)MaxSessions[\s]+(\d+)[\s](?:#.*)?$	1

State oval:ssg-state_maxsessions_value_upper_bound:ste:1 of type textfilecontent54_state

Subexpression
10

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: XCCDF Value var_sshd_max_sessions # promote to variable
  set_fact:
    var_sshd_max_sessions: !!str 10
  tags:
    - always

- name: Set SSH MaxSessions limit
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxSessions\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxSessions\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxSessions\s+
      line: MaxSessions {{ var_sshd_max_sessions }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sshd_set_max_sessions

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_max_sessions='10'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure SSH MaxStartups is configured

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_maxstartups

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.2.19, 2.2.6

Description

The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. To confgure MaxStartups, you should add or correct the following line in the /etc/ssh/sshd_config file:

MaxStartups 10:30:60

CIS recommends a MaxStartups value of '10:30:60', or more restrictive where dictated by site policy.

Rationale

To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon.

OVAL details

SSH MaxStartups start parameter is less than or equal to 10 failed because these items were missing:

Object oval:ssg-obj_sshd_config_maxstartups_first_parameter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	(?i)^\sMaxStartups\s+(\d+):\d+:\d+\s$	1

State oval:ssg-ste_sshd_config_start_parameter_valid:ste:1 of type textfilecontent54_state

Subexpression
10

SSH MaxStartups rate parameter is greater than or equal to 30 failed because these items were missing:

Object oval:ssg-obj_sshd_config_maxstartups_second_parameter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	(?i)^\sMaxStartups\s+\d+:(\d+):\d+\s$	1

State oval:ssg-ste_sshd_config_rate_parameter_valid:ste:1 of type textfilecontent54_state

Subexpression
30

SSH MaxStartups full parameter is less than or equal to 100 failed because these items were missing:

Object oval:ssg-obj_sshd_config_maxstartups_third_parameter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	(?i)^\sMaxStartups\s+\d+:\d+:(\d+)\s$	1

State oval:ssg-ste_sshd_config_full_parameter_valid:ste:1 of type textfilecontent54_state

Subexpression
100

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sshd_set_maxstartups # promote to variable
  set_fact:
    var_sshd_set_maxstartups: !!str 10:30:60
  tags:
    - always

- name: Ensure SSH MaxStartups is configured
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxStartups\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxStartups\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxStartups\s+
      line: MaxStartups {{ var_sshd_set_maxstartups }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_maxstartups

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_set_maxstartups='10:30:60'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Use Only Strong Ciphers

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.2.13

Description

Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of those ciphers:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

The man page sshd_config(5) contains a list of supported ciphers.

Rationale

Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use.

OVAL details

tests the value of Ciphers setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_use_strong_ciphers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)Ciphers(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

State oval:ssg-state_sshd_use_strong_ciphers:ste:1 of type textfilecontent54_state

Subexpression
^((aes128-ctr\|aes192-ctr\|aes256-ctr\|chacha20-poly1305@openssh\.com\|aes256-gcm@openssh\.com\|aes128-gcm@openssh\.com),?)+$

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Use Only Strong Key Exchange algorithms

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_strong_kex

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: Req-2.3, 5.2.15, 2.2.7

Description

Limit the Key Exchange to strong algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those:

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Rationale

Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received

OVAL details

tests the value of KexAlgorithms setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_use_strong_kex:obj:1 of type variable_object

Var ref
oval:ssg-var_sshd_config_kex:var:1

State oval:ssg-ste_sshd_use_strong_kex:ste:1 of type variable_state

Value
curve25519-sha256curve25519-sha256@libssh.orgecdh-sha2-nistp256ecdh-sha2-nistp384ecdh-sha2-nistp521diffie-hellman-group-exchange-sha256diffie-hellman-group16-sha512diffie-hellman-group18-sha512diffie-hellman-group14-sha256curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256Referenced variable has no values (oval:ssg-var_sshd_config_kex:var:1).

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value sshd_strong_kex # promote to variable
  set_fact:
    sshd_strong_kex: !!str curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
  tags:
    - always

- name: Use Only Strong Key Exchange algorithms
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*KexAlgorithms\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*KexAlgorithms\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*KexAlgorithms\s+
      line: KexAlgorithms {{ sshd_strong_kex }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - PCI-DSS-Req-2.3
  - PCI-DSSv4-2.2.7
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_use_strong_kex

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

sshd_strong_kex='curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*KexAlgorithms\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "KexAlgorithms $sshd_strong_kex" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Use Only Strong MACs

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_strong_macs

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 5.2.14

Description

Limit the MACs to strong hash algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those MACs:

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

Rationale

MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information

OVAL details

tests the value of MACs setting in the /etc/ssh/sshd_config file failed because these items were missing:

Object oval:ssg-obj_sshd_use_strong_macs:obj:1 of type variable_object

Var ref
oval:ssg-var_sshd_config_strong_macs:var:1

State oval:ssg-ste_sshd_use_strong_macs:ste:1 of type variable_state

Value
hmac-sha2-512-etm@openssh.comhmac-sha2-256-etm@openssh.comumac-128-etm@openssh.comhmac-sha2-512hmac-sha2-256hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256Referenced variable has no values (oval:ssg-var_sshd_config_strong_macs:var:1).

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value sshd_strong_macs # promote to variable
  set_fact:
    sshd_strong_macs: !!str hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
  tags:
    - always

- name: Use Only Strong MACs
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MACs\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MACs\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MACs\s+
      line: MACs {{ sshd_strong_macs }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_use_strong_macs

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

sshd_strong_macs='hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^MACs")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$sshd_strong_macs"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^MACs\\>" "/etc/ssh/sshd_config"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^MACs\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
else
    if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Group Who Owns SSH Server config file

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1, R50

Description

To properly set the group owner of /etc/ssh/sshd_config, run the command:

$ sudo chgrp root /etc/ssh/sshd_config

Rationale

OVAL details

Testing group ownership of /etc/ssh/sshd_config passed because these items were not found:

Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/ssh/sshd_config	oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1	oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1

Verify Owner on SSH Server config file

Rule ID xccdf_org.ssgproject.content_rule_file_owner_sshd_config

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1, R50

Description

To properly set the owner of /etc/ssh/sshd_config, run the command:

$ sudo chown root /etc/ssh/sshd_config

Rationale

OVAL details

Testing user ownership of /etc/ssh/sshd_config passed because these items were not found:

Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/ssh/sshd_config	oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1	oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1

Verify Permissions on SSH Server config file

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_config

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1, R50, 2.2.6

Description

To properly set the permissions of /etc/ssh/sshd_config, run the command:

$ sudo chmod 0600 /etc/ssh/sshd_config

Rationale

OVAL details

Testing mode of /etc/ssh/sshd_config failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/ssh/sshd_config	regular	0	0	3254	`rw-r--r--`

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Test for existence /etc/ssh/sshd_config
  stat:
    path: /etc/ssh/sshd_config
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_sshd_config
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config
  file:
    path: /etc/ssh/sshd_config
    mode: u-xs,g-xwrs,o-xwrt
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_sshd_config
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on SSH Server Private *_key Key Files

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, SRG-OS-000480-GPOS-00227, 5.2.2, R50, 2.2.6

Description

SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

OVAL details

No keys that have unsafe ownership/permissions combination exist passed because these items were not found:

Object oval:ssg-object_offending_keys:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/ssh	.*_key$	oval:ssg-exclude_symlinks__sshd_private_key:ste:1	oval:ssg-filter_ssh_key_owner_root:ste:1

Verify Permissions on SSH Server Public *.pub Key Files

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key

Result

pass

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

Description

To properly set the permissions of /etc/ssh/*.pub, run the command:

$ sudo chmod 0644 /etc/ssh/*.pub

Rationale

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

OVAL details

Testing mode of /etc/ssh/ passed because these items were not found:

Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/ssh	^.*\.pub$	oval:ssg-exclude_symlinks__sshd_pub_key:ste:1	oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1

Remove the X Windows Package Group

Rule ID xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed

Result

fail

Time 2025-05-13T15:26:36

Severity medium

Identifiers and References

References: 12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 2.2.1

Description

By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:

$ sudo apt_get groupremove "X Window System"

$ sudo apt_get remove xorg-x11-server-common

Rationale

Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

Warnings

warning The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before continuing installation.

OVAL details

package xserver-xorg is removed failed because of these items:

Name	Arch	Epoch	Release	Version	Evr
xserver-xorg	amd64	1		7.7+23ubuntu2	1:7.7+23ubuntu2

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure xserver-xorg is removed
  package:
    name: xserver-xorg
    state: absent
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_xorg-x11-server-common_removed

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_xserver-xorg

class remove_xserver-xorg {
  package { 'xserver-xorg':
    ensure => 'purged',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove xserver-xorg
#	   from the system, and may remove any packages
#	   that depend on xserver-xorg. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "xserver-xorg"

System Audit Logs Must Have Mode 0750 or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, CCI-000162, CCI-000163, CCI-000164, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, UBTU-22-653060, 4.1.4.4
Description	If `log_group` in `/etc/audit/auditd.conf` is set to a group other than the `root` group account, change the mode of the audit log files with the following command: $ sudo chmod 0750 /var/log/audit Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0700 /var/log/audit
Rationale	If users can write to audit logs, audit trails can be modified or destroyed.

System Audit Logs Must Be Group Owned By Root

Rule ID	xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, UBTU-22-653055, 4.1.4.3, 10.3.2
Description	All audit logs must be group owned by root user. The path for audit log can be configured via `log_file` parameter in /etc/audit/auditd.conf or, by default, the path for audit log is /var/log/audit/ . To properly set the group owner of `/var/log/audit/`, run the command: $ sudo chgrp root /var/log/audit/ If `log_group` in `/etc/audit/auditd.conf` is set to a group other than the `root` group account, change the group ownership of the audit logs to this specific group.
Rationale	Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Audit Configuration Files Must Be Owned By Group root

Rule ID	xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-000171, SRG-OS-000063-GPOS-00032, UBTU-22-653075, 4.1.4.7
Description	All audit configuration files must be owned by group root. chown :root /etc/audit/audit.{rules,conf} /etc/audit/rules.d/
Rationale	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit Configuration Files Must Be Owned By Root

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: CCI-000171, SRG-OS-000063-GPOS-00032, UBTU-22-653070, 4.1.4.6
Description	All audit configuration files must be owned by root user. To properly set the owner of `/etc/audit/`, run the command: $ sudo chown root /etc/audit/ To properly set the owner of `/etc/audit/rules.d/`, run the command: $ sudo chown root /etc/audit/rules.d/
Rationale	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

System Audit Logs Must Be Owned By Root

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, UBTU-22-653050, 4.1.4.2
Description	All audit logs must be owned by root user. The path for audit log can be configured via `log_file` parameter in /etc/audit/auditd.conf or by default, the path for audit log is /var/log/audit/ . To properly set the owner of `/var/log/audit/`, run the command: $ sudo chown root /var/log/audit/
Rationale	Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

System Audit Logs Must Have Mode 0640 or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Result	notapplicable
Time	2025-05-13T15:26:36
Severity	medium
Identifiers and References	References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, UBTU-22-653045, 4.1.4.1, 10.3.1
Description	If `log_group` in `/etc/audit/auditd.conf` is set to a group other than the `root` group account, change the mode of the audit log files with the following command: $ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file
Rationale	If users can write to audit logs, audit trails can be modified or destroyed.

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.