From f040d896a65fbcb267d889a4e6b9ae9182d5afe5 Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Thu, 12 Dec 2024 17:43:29 -0500 Subject: [PATCH 1/2] Update workflows to use artifact actions v4 Signed-off-by: Joyce Quach --- .github/workflows/verify-container.yml | 2 +- .github/workflows/verify-ec2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index ce52799..d00101a 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -76,7 +76,7 @@ jobs: rm hardened.md - name: Save Test Result JSONs if: ${{ always() }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: | vanilla.json diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index c8f3e5f..d5f233e 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -72,6 +72,6 @@ jobs: rm spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md - name: Save Test Result JSONs if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: path: spec/results/ From f17cb55532dc833141419860ecc18f0921fb73dc Mon Sep 17 00:00:00 2001 From: jtquach1 Date: Thu, 12 Dec 2024 22:44:51 +0000 Subject: [PATCH 2/2] Updating profile.json in the repository --- profile.json | 6602 +++++++++++++++++++++++++------------------------- 1 file changed, 3301 insertions(+), 3301 deletions(-) diff --git a/profile.json b/profile.json index 55d3dc1..39a1ba8 100644 --- a/profile.json +++ b/profile.json @@ -214,274 +214,260 @@ ], "controls": [ { - "title": "The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ", - "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "title": "The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ", + "desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", - "check": "Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding.", - "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;" + "default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "check": "Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000258-GPOS-00099 ", - "gid": "V-238344 ", - "rid": "SV-238344r654207_rule ", - "stig_id": "UBTU-20-010423 ", - "fix_id": "F-41513r654206_fix ", + "gtitle": "SRG-OS-000377-GPOS-00162 ", + "gid": "V-238232 ", + "rid": "SV-238232r853412_rule ", + "stig_id": "UBTU-20-010065 ", + "fix_id": "F-41401r653870_fix ", "cci": [ - "CCI-001495" + "CCI-001954" ], "nist": [ - "AU-9" + "IA-2 (12)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238344.rb", + "ref": "./controls/SV-238232.rb", "line": 1 }, - "id": "SV-238344" + "id": "SV-238232" }, { - "title": "The Ubuntu operating system library files must be owned by root. ", - "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "The Ubuntu operating system must not have the telnet package installed. ", + "desc": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", "descriptions": { - "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding.", - "fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;" + "default": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", + "check": "Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding.", + "fix": "Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238349 ", - "rid": "SV-238349r654222_rule ", - "stig_id": "UBTU-20-010428 ", - "fix_id": "F-41518r654221_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000074-GPOS-00042 ", + "gid": "V-238326 ", + "rid": "SV-238326r654153_rule ", + "stig_id": "UBTU-20-010405 ", + "fix_id": "F-41495r654152_fix ", "cci": [ - "CCI-001499" + "CCI-000197" ], "nist": [ - "CM-5 (6)" + "IA-5 (1) (c)" ], "host": null, "container": null }, - "code": "control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n tag 'host', 'container'\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238349.rb", + "ref": "./controls/SV-238326.rb", "line": 1 }, - "id": "SV-238349" + "id": "SV-238326" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ", + "desc": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "default": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.", + "check": "If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding.", + "fix": "Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238255 ", - "rid": "SV-238255r653940_rule ", - "stig_id": "UBTU-20-010139 ", - "fix_id": "F-41424r653939_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000383-GPOS-00166 ", + "gid": "V-238362 ", + "rid": "SV-238362r853437_rule ", + "stig_id": "UBTU-20-010441 ", + "fix_id": "F-41531r654260_fix ", "cci": [ - "CCI-000172" + "CCI-002007" ], "nist": [ - "AU-12 c" + "IA-5 (13)" ], "host": null }, - "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238255.rb", + "ref": "./controls/SV-238362.rb", "line": 1 }, - "id": "SV-238255" + "id": "SV-238362" }, { - "title": "The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ", - "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.", + "title": "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.", - "check": "Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding.", - "fix": "Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory." + "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.", + "check": "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1" }, "impact": 0.3, "refs": [], "tags": { "severity": "low ", - "gtitle": "SRG-OS-000479-GPOS-00224 ", - "gid": "V-238321 ", - "rid": "SV-238321r853428_rule ", - "stig_id": "UBTU-20-010300 ", - "fix_id": "F-41490r654137_fix ", + "gtitle": "SRG-OS-000075-GPOS-00043 ", + "gid": "V-238202 ", + "rid": "SV-238202r653781_rule ", + "stig_id": "UBTU-20-010007 ", + "fix_id": "F-41371r653780_fix ", "cci": [ - "CCI-001851" + "CCI-000198" ], "nist": [ - "AU-4 (1)" + "IA-5 (1) (d)" ], "host": null, "container": null }, - "code": "control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host', 'container'\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238321.rb", + "ref": "./controls/SV-238202.rb", "line": 1 }, - "id": "SV-238321" + "id": "SV-238202" }, { - "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "title": "The Ubuntu operating system library directories must be owned by root. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", - "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1" + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding.", + "fix": "Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000071-GPOS-00039 ", - "gid": "V-238223 ", - "rid": "SV-238223r653844_rule ", - "stig_id": "UBTU-20-010052 ", - "fix_id": "F-41392r653843_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238350 ", + "rid": "SV-238350r654225_rule ", + "stig_id": "UBTU-20-010429 ", + "fix_id": "F-41519r654224_fix ", "cci": [ - "CCI-000194" + "CCI-001499" ], "nist": [ - "IA-5 (1) (a)" + "CM-5 (6)" ], "host": null, "container": null }, - "code": "control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238223.rb", + "ref": "./controls/SV-238350.rb", "line": 1 }, - "id": "SV-238223" + "id": "SV-238350" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "title": "The Ubuntu operating system must configure the audit tools to be group-owned by root. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding.", + "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gtitle": "SRG-OS-000256-GPOS-00097 ", "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206" + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098" ], - "gid": "V-238264 ", - "rid": "SV-238264r808477_rule ", - "stig_id": "UBTU-20-010148 ", - "fix_id": "F-41433r808476_fix ", + "gid": "V-238302 ", + "rid": "SV-238302r654081_rule ", + "stig_id": "UBTU-20-010201 ", + "fix_id": "F-41471r654080_fix ", "cci": [ - "CCI-000172" + "CCI-001493", + "CCI-001494" ], "nist": [ - "AU-12 c" + "AU-9 a", + "AU-9" ], "host": null }, - "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238264.rb", + "ref": "./controls/SV-238302.rb", "line": 1 }, - "id": "SV-238264" + "id": "SV-238302" }, { - "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ", - "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "title": "The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ", + "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", "descriptions": { - "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", - "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "check": "Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding.", + "fix": "Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000004-GPOS-00004 ", + "gtitle": "SRG-OS-000057-GPOS-00027 ", "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-238238 ", - "rid": "SV-238238r853416_rule ", - "stig_id": "UBTU-20-010100 ", - "fix_id": "F-41407r653888_fix ", + "gid": "V-238247 ", + "rid": "SV-238247r832947_rule ", + "stig_id": "UBTU-20-010124 ", + "fix_id": "F-41416r832946_fix ", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-000162" ], "nist": [ - "AC-2 (4)", - "AU-12 c" + "AU-9 a" ], "host": null }, - "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n admin_groups = input('admin_groups')\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should be_in admin_groups }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238238.rb", + "ref": "./controls/SV-238247.rb", "line": 1 }, - "id": "SV-238238" + "id": "SV-238247" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" - }, + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206" - ], - "gid": "V-238268 ", - "rid": "SV-238268r808480_rule ", - "stig_id": "UBTU-20-010152 ", - "fix_id": "F-41437r808479_fix ", + "gid": "V-238292 ", + "rid": "SV-238292r654051_rule ", + "stig_id": "UBTU-20-010176 ", + "fix_id": "F-41461r654050_fix ", "cci": [ "CCI-000172" ], @@ -490,67 +476,62 @@ ], "host": null }, - "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238268.rb", + "ref": "./controls/SV-238292.rb", "line": 1 }, - "id": "SV-238268" + "id": "SV-238292" }, { - "title": "The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ", + "desc": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).", + "check": "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding.", + "fix": "Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-238287 ", - "rid": "SV-238287r654036_rule ", - "stig_id": "UBTU-20-010171 ", - "fix_id": "F-41456r654035_fix ", + "gtitle": "SRG-OS-000384-GPOS-00167 ", + "gid": "V-238233 ", + "rid": "SV-238233r853413_rule ", + "stig_id": "UBTU-20-010066 ", + "fix_id": "F-41402r653873_fix ", "cci": [ - "CCI-000172" + "CCI-001991" ], "nist": [ - "AU-12 c" + "IA-5 (2) (d)" ], "host": null }, - "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238287.rb", + "ref": "./controls/SV-238233.rb", "line": 1 }, - "id": "SV-238287" + "id": "SV-238233" }, { - "title": "The Ubuntu operating system library directories must be owned by root. ", + "title": "The Ubuntu operating system library files must be group-owned by root or a system account. ", "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding.", - "fix": "Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;" + "check": "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding.", + "fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238350 ", - "rid": "SV-238350r654225_rule ", - "stig_id": "UBTU-20-010429 ", - "fix_id": "F-41519r654224_fix ", + "gid": "V-238351 ", + "rid": "SV-238351r832962_rule ", + "stig_id": "UBTU-20-010430 ", + "fix_id": "F-41520r832961_fix ", "cci": [ "CCI-001499" ], @@ -560,172 +541,224 @@ "host": null, "container": null }, - "code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238350.rb", + "ref": "./controls/SV-238351.rb", "line": 1 }, - "id": "SV-238350" + "id": "SV-238351" }, { - "title": "The Ubuntu operating system must not allow accounts configured with blank or null passwords. ", - "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", - "check": "To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding.", - "fix": "If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords." + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-251504 ", - "rid": "SV-251504r832977_rule ", - "stig_id": "UBTU-20-010463 ", - "fix_id": "F-54893r832976_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238294 ", + "rid": "SV-238294r654057_rule ", + "stig_id": "UBTU-20-010178 ", + "fix_id": "F-41463r654056_fix ", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b" + "AU-12 c" ], "host": null }, - "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-251504.rb", + "ref": "./controls/SV-238294.rb", "line": 1 }, - "id": "SV-251504" + "id": "SV-238294" }, { - "title": "The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ", - "desc": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.", + "title": "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ", + "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.", "descriptions": { - "default": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.", - "check": "If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding.", - "fix": "Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file." + "default": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.", + "check": "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000" }, "impact": 0.3, "refs": [], "tags": { "severity": "low ", - "gtitle": "SRG-OS-000383-GPOS-00166 ", - "gid": "V-238362 ", - "rid": "SV-238362r853437_rule ", - "stig_id": "UBTU-20-010441 ", - "fix_id": "F-41531r654260_fix ", + "gtitle": "SRG-OS-000077-GPOS-00045 ", + "satisfies": [ + "SRG-OS-000077-GPOS-00045", + "SRG-OS-000073-GPOS-00041" + ], + "gid": "V-238234 ", + "rid": "SV-238234r832945_rule ", + "stig_id": "UBTU-20-010070 ", + "fix_id": "F-41403r832944_fix ", "cci": [ - "CCI-002007" + "CCI-000196", + "CCI-000200" ], "nist": [ - "IA-5 (13)" + "IA-5 (1) (c)", + "IA-5 (1) (e)" ], "host": null }, - "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238362.rb", + "ref": "./controls/SV-238234.rb", "line": 1 }, - "id": "SV-238362" + "id": "SV-238234" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "title": "The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ", + "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", - "check": "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.", - "fix": "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load" + "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "check": "Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding.", + "fix": "Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gtitle": "SRG-OS-000057-GPOS-00027 ", "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000474-GPOS-00219" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028" ], - "gid": "V-238271 ", - "rid": "SV-238271r808483_rule ", - "stig_id": "UBTU-20-010155 ", - "fix_id": "F-41440r808482_fix ", + "gid": "V-238245 ", + "rid": "SV-238245r653910_rule ", + "stig_id": "UBTU-20-010122 ", + "fix_id": "F-41414r653909_fix ", "cci": [ - "CCI-000172" + "CCI-000162", + "CCI-000163" ], "nist": [ - "AU-12 c" + "AU-9 a" ], "host": null }, - "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n", + "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238271.rb", + "ref": "./controls/SV-238245.rb", "line": 1 }, - "id": "SV-238271" + "id": "SV-238245" }, { - "title": "The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ", - "desc": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.", + "title": "The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ", + "desc": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.", "descriptions": { - "default": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.", - "check": "Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding.", - "fix": "Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]" + "default": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.", + "check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000138-GPOS-00069 ", - "gid": "V-238332 ", - "rid": "SV-238332r654171_rule ", - "stig_id": "UBTU-20-010411 ", - "fix_id": "F-41501r654170_fix ", + "gtitle": "SRG-OS-000105-GPOS-00052 ", + "satisfies": [ + "SRG-OS-000105-GPOS-00052", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000108-GPOS-00055" + ], + "gid": "V-238210 ", + "rid": "SV-238210r858517_rule ", + "stig_id": "UBTU-20-010033 ", + "fix_id": "F-41379r653804_fix ", "cci": [ - "CCI-001090" + "CCI-000765", + "CCI-000766", + "CCI-000767", + "CCI-000768" ], "nist": [ - "SC-4" + "IA-2 (1)", + "IA-2 (2)", + "IA-2 (3)", + "IA-2 (4)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host', 'container'\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238332.rb", + "ref": "./controls/SV-238210.rb", "line": 1 }, - "id": "SV-238332" + "id": "SV-238210" }, { - "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ", - "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "title": "The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", - "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding.", + "fix": "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000004-GPOS-00004 ", - "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-238240 ", - "rid": "SV-238240r853418_rule ", - "stig_id": "UBTU-20-010102 ", - "fix_id": "F-41409r653894_fix ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238338 ", + "rid": "SV-238338r654189_rule ", + "stig_id": "UBTU-20-010417 ", + "fix_id": "F-41507r654188_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238338.rb", + "line": 1 + }, + "id": "SV-238338" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "descriptions": { + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238238 ", + "rid": "SV-238238r853416_rule ", + "stig_id": "UBTU-20-010100 ", + "fix_id": "F-41407r653888_fix ", "cci": [ "CCI-000018", "CCI-000172", @@ -740,552 +773,505 @@ ], "host": null }, - "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238240.rb", + "ref": "./controls/SV-238238.rb", "line": 1 }, - "id": "SV-238240" + "id": "SV-238238" }, { - "title": "The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ", - "desc": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.", + "title": "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.", - "check": "Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding.", - "fix": "Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo" + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000134-GPOS-00068 ", - "gid": "V-238206 ", - "rid": "SV-238206r653793_rule ", - "stig_id": "UBTU-20-010012 ", - "fix_id": "F-41375r653792_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238342 ", + "rid": "SV-238342r654201_rule ", + "stig_id": "UBTU-20-010421 ", + "fix_id": "F-41511r654200_fix ", "cci": [ - "CCI-001084" + "CCI-001314" ], "nist": [ - "SC-3" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host', 'container'\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n", + "code": "control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238206.rb", + "ref": "./controls/SV-238342.rb", "line": 1 }, - "id": "SV-238206" + "id": "SV-238342" }, { - "title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ", - "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.", + "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding.", - "fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.", + "fix": "Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000447-GPOS-00201 ", - "gid": "V-238372 ", - "rid": "SV-238372r853449_rule ", - "stig_id": "UBTU-20-010451 ", - "fix_id": "F-41541r654290_fix ", + "gtitle": "SRG-OS-000477-GPOS-00222 ", + "gid": "V-238320 ", + "rid": "SV-238320r832956_rule ", + "stig_id": "UBTU-20-010298 ", + "fix_id": "F-41489r832955_fix ", "cci": [ - "CCI-002702" + "CCI-000172" ], "nist": [ - "SI-6 d" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", + "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238372.rb", + "ref": "./controls/SV-238320.rb", "line": 1 }, - "id": "SV-238372" + "id": "SV-238320" }, { - "title": "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ", - "desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "title": "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ", + "desc": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.", "descriptions": { - "default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", - "check": "Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11" + "default": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.", + "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", + "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000376-GPOS-00161 ", - "gid": "V-238231 ", - "rid": "SV-238231r853411_rule ", - "stig_id": "UBTU-20-010064 ", - "fix_id": "F-41400r653867_fix ", + "gtitle": "SRG-OS-000185-GPOS-00079 ", + "gid": "V-238335 ", + "rid": "SV-238335r654180_rule ", + "stig_id": "UBTU-20-010414 ", + "fix_id": "F-41504r654179_fix ", "cci": [ - "CCI-001953" + "CCI-001199" ], "nist": [ - "IA-2 (12)" + "SC-28" ], "host": null, "container": null }, - "code": "control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n tag 'host', 'container'\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", "source_location": { - "ref": "./controls/SV-238231.rb", + "ref": "./controls/SV-238335.rb", "line": 1 }, - "id": "SV-238231" + "id": "SV-238335" }, { - "title": "The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ", - "desc": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.", + "title": "Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ", + "desc": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.", "descriptions": { - "default": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.", - "check": "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + "default": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.", + "check": "Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding.", + "fix": "Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000066-GPOS-00034 ", - "gid": "V-238229 ", - "rid": "SV-238229r653862_rule ", - "stig_id": "UBTU-20-010060 ", - "fix_id": "F-41398r653861_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000080-GPOS-00048 ", + "gid": "V-238204 ", + "rid": "SV-238204r832936_rule ", + "stig_id": "UBTU-20-010009 ", + "fix_id": "F-41373r832935_fix ", "cci": [ - "CCI-000185" + "CCI-000213" ], "nist": [ - "IA-5 (2) (b) (1)" + "AC-3" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host', 'container'\n\n grubfile = file('/boot/grub/grub.cfg').content.lines\n\n grubfile_passes = grubfile.any? { |line| line.match?(/^password_pbkdf2\\s+root/) }\n\n describe 'Grub' do\n it 'should use an encrypted password for root' do\n expect(grubfile_passes).to be_true, 'No password set for root in grub config'\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238229.rb", + "ref": "./controls/SV-238204.rb", "line": 1 }, - "id": "SV-238229" + "id": "SV-238204" }, { - "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ", - "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "title": "The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", - "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000004-GPOS-00004 ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" ], - "gid": "V-238239 ", - "rid": "SV-238239r853417_rule ", - "stig_id": "UBTU-20-010101 ", - "fix_id": "F-41408r653891_fix ", + "gid": "V-238286 ", + "rid": "SV-238286r654033_rule ", + "stig_id": "UBTU-20-010170 ", + "fix_id": "F-41455r654032_fix ", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-000172" ], "nist": [ - "AC-2 (4)", "AU-12 c" ], "host": null }, - "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238239.rb", + "ref": "./controls/SV-238286.rb", "line": 1 }, - "id": "SV-238239" + "id": "SV-238286" }, { - "title": "The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ", - "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "title": "The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ", + "desc": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", - "check": "Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding.", - "fix": "Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*" + "default": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.", + "check": "Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000057-GPOS-00027 ", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028" - ], - "gid": "V-238245 ", - "rid": "SV-238245r653910_rule ", - "stig_id": "UBTU-20-010122 ", - "fix_id": "F-41414r653909_fix ", + "gtitle": "SRG-OS-000118-GPOS-00060 ", + "gid": "V-238330 ", + "rid": "SV-238330r654165_rule ", + "stig_id": "UBTU-20-010409 ", + "fix_id": "F-41499r654164_fix ", "cci": [ - "CCI-000162", - "CCI-000163" + "CCI-000795" ], "nist": [ - "AU-9 a" + "IA-4 e" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag 'host', 'container'\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238245.rb", + "ref": "./controls/SV-238330.rb", "line": 1 }, - "id": "SV-238245" + "id": "SV-238330" }, { - "title": "The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ", - "desc": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", "descriptions": { - "default": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.", - "check": "Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding.", - "fix": "Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000480-GPOS-00228 ", - "gid": "V-238209 ", - "rid": "SV-238209r653802_rule ", - "stig_id": "UBTU-20-010016 ", - "fix_id": "F-41378r653801_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000471-GPOS-00216" + ], + "gid": "V-238295 ", + "rid": "SV-238295r808486_rule ", + "stig_id": "UBTU-20-010179 ", + "fix_id": "F-41464r808485_fix ", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", + "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238209.rb", + "ref": "./controls/SV-238295.rb", "line": 1 }, - "id": "SV-238209" + "id": "SV-238295" }, { - "title": "The Ubuntu operating system must disable all wireless network adapters. ", - "desc": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.", + "title": "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ", + "desc": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", "descriptions": { - "default": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.", - "check": "Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding.", - "fix": "List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>" + "default": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", + "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000481-GPOS-00481 ", - "gid": "V-252704 ", - "rid": "SV-252704r854182_rule ", - "stig_id": "UBTU-20-010455 ", - "fix_id": "F-56110r819056_fix ", + "gtitle": "SRG-OS-000405-GPOS-00184 ", + "gid": "V-238366 ", + "rid": "SV-238366r853443_rule ", + "stig_id": "UBTU-20-010445 ", + "fix_id": "F-41535r654272_fix ", "cci": [ - "CCI-002418" + "CCI-002476" ], "nist": [ - "SC-8" + "SC-28 (1)" ], "host": null, "container": null }, - "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host', 'container'\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", + "code": "control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", "source_location": { - "ref": "./controls/SV-252704.rb", + "ref": "./controls/SV-238366.rb", "line": 1 }, - "id": "SV-252704" + "id": "SV-238366" }, { - "title": "The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ", - "desc": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).", + "title": "The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", "descriptions": { - "default": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).", - "check": "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding.", - "fix": "Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding.", + "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000384-GPOS-00167 ", - "gid": "V-238233 ", - "rid": "SV-238233r853413_rule ", - "stig_id": "UBTU-20-010066 ", - "fix_id": "F-41402r653873_fix ", + "gtitle": "SRG-OS-000258-GPOS-00099 ", + "gid": "V-238346 ", + "rid": "SV-238346r654213_rule ", + "stig_id": "UBTU-20-010425 ", + "fix_id": "F-41515r654212_fix ", "cci": [ - "CCI-001991" + "CCI-001495" ], "nist": [ - "IA-5 (2) (d)" + "AU-9" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238233.rb", + "ref": "./controls/SV-238346.rb", "line": 1 }, - "id": "SV-238233" + "id": "SV-238346" }, { - "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.", + "title": "The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.", - "check": "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1" + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).", + "check": "If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding.", + "fix": "If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000266-GPOS-00101 ", - "gid": "V-238226 ", - "rid": "SV-238226r653853_rule ", - "stig_id": "UBTU-20-010055 ", - "fix_id": "F-41395r653852_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000355-GPOS-00143 ", + "gid": "V-238356 ", + "rid": "SV-238356r853431_rule ", + "stig_id": "UBTU-20-010435 ", + "fix_id": "F-41525r808491_fix ", "cci": [ - "CCI-001619" + "CCI-001891" ], "nist": [ - "IA-5 (1) (a)" + "AU-8 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n tag 'host', 'container'\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238226.rb", + "ref": "./controls/SV-238356.rb", "line": 1 }, - "id": "SV-238226" + "id": "SV-238356" }, { - "title": "The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ", - "desc": "Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.", + "title": "The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.", - "check": "Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding.", - "fix": "Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000380-GPOS-00165 ", - "gid": "V-238361 ", - "rid": "SV-238361r853436_rule ", - "stig_id": "UBTU-20-010440 ", - "fix_id": "F-41530r654257_fix ", + "gtitle": "SRG-OS-000472-GPOS-00217 ", + "gid": "V-238315 ", + "rid": "SV-238315r654120_rule ", + "stig_id": "UBTU-20-010277 ", + "fix_id": "F-41484r654119_fix ", "cci": [ - "CCI-002041" + "CCI-000172" ], "nist": [ - "IA-5 (1) (f)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n tag 'host', 'container'\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n", + "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238361.rb", + "ref": "./controls/SV-238315.rb", "line": 1 }, - "id": "SV-238361" + "id": "SV-238315" }, { - "title": "The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ", - "desc": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", "descriptions": { - "default": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.", - "check": "Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding.", - "fix": "Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000403-GPOS-00182 ", - "gid": "V-238364 ", - "rid": "SV-238364r860824_rule ", - "stig_id": "UBTU-20-010443 ", - "fix_id": "F-41533r860823_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206" + ], + "gid": "V-238264 ", + "rid": "SV-238264r808477_rule ", + "stig_id": "UBTU-20-010148 ", + "fix_id": "F-41433r808476_fix ", "cci": [ - "CCI-002470" + "CCI-000172" ], "nist": [ - "SC-23 (5)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n tag 'host', 'container'\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n", + "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238364.rb", + "ref": "./controls/SV-238264.rb", "line": 1 }, - "id": "SV-238364" + "id": "SV-238264" }, { - "title": "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ", - "desc": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.", + "title": "The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ", + "desc": "If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.", "descriptions": { - "default": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.", - "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", - "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." + "default": "If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.", + "check": "Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000185-GPOS-00079 ", - "gid": "V-238335 ", - "rid": "SV-238335r654180_rule ", - "stig_id": "UBTU-20-010414 ", - "fix_id": "F-41504r654179_fix ", + "gtitle": "SRG-OS-000392-GPOS-00172 ", + "satisfies": [ + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-238309 ", + "rid": "SV-238309r853427_rule ", + "stig_id": "UBTU-20-010244 ", + "fix_id": "F-41478r654101_fix ", "cci": [ - "CCI-001199" + "CCI-000172", + "CCI-002884" ], "nist": [ - "SC-28" + "AU-12 c", + "MA-4 (1) (a)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238335.rb", + "ref": "./controls/SV-238309.rb", "line": 1 }, - "id": "SV-238335" + "id": "SV-238309" }, { - "title": "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ", - "desc": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.", + "title": "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ", + "desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.", - "check": "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding.", - "fix": "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service" + "default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "check": "Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000046-GPOS-00022 ", - "gid": "V-238243 ", - "rid": "SV-238243r653904_rule ", - "stig_id": "UBTU-20-010117 ", - "fix_id": "F-41412r653903_fix ", - "cci": [ - "CCI-000139" - ], - "nist": [ - "AU-5 a" - ], - "host": null - }, - "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238243.rb", - "line": 1 - }, - "id": "SV-238243" - }, - { - "title": "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ", - "desc": "Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", - "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", - "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding.", - "fix": "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd" - }, - "impact": 0, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000228-GPOS-00088 ", - "satisfies": [ - "SRG-OS-000228-GPOS-00088", - "SRG-OS-000023-GPOS-00006" - ], - "gid": "V-238214 ", - "rid": "SV-238214r858525_rule ", - "stig_id": "UBTU-20-010038 ", - "fix_id": "F-41383r653816_fix ", + "gtitle": "SRG-OS-000376-GPOS-00161 ", + "gid": "V-238231 ", + "rid": "SV-238231r853411_rule ", + "stig_id": "UBTU-20-010064 ", + "fix_id": "F-41400r653867_fix ", "cci": [ - "CCI-000048", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-001953" ], "nist": [ - "AC-8 a", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 3" + "IA-2 (12)" ], "host": null, "container": null }, - "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n tag 'host', 'container'\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", + "code": "control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n tag 'host', 'container'\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238214.rb", + "ref": "./controls/SV-238231.rb", "line": 1 }, - "id": "SV-238214" + "id": "SV-238231" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238291 ", - "rid": "SV-238291r654048_rule ", - "stig_id": "UBTU-20-010175 ", - "fix_id": "F-41460r654047_fix ", + "gid": "V-238289 ", + "rid": "SV-238289r654042_rule ", + "stig_id": "UBTU-20-010173 ", + "fix_id": "F-41458r654041_fix ", "cci": [ "CCI-000172" ], @@ -1294,655 +1280,725 @@ ], "host": null }, - "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238291.rb", + "ref": "./controls/SV-238289.rb", "line": 1 }, - "id": "SV-238291" + "id": "SV-238289" }, { - "title": "The Ubuntu operating system must configure the /var/log directory to be owned by root. ", - "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must disable all wireless network adapters. ", + "desc": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding.", - "fix": "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log" + "default": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.", + "check": "Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding.", + "fix": "List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000206-GPOS-00084 ", - "gid": "V-238339 ", - "rid": "SV-238339r654192_rule ", - "stig_id": "UBTU-20-010418 ", - "fix_id": "F-41508r654191_fix ", + "gtitle": "SRG-OS-000481-GPOS-00481 ", + "gid": "V-252704 ", + "rid": "SV-252704r854182_rule ", + "stig_id": "UBTU-20-010455 ", + "fix_id": "F-56110r819056_fix ", "cci": [ - "CCI-001314" + "CCI-002418" ], "nist": [ - "SI-11 b" + "SC-8" ], "host": null, "container": null }, - "code": "control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n", + "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host', 'container'\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238339.rb", + "ref": "./controls/SV-252704.rb", "line": 1 }, - "id": "SV-238339" + "id": "SV-252704" }, { - "title": "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ", - "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.", + "title": "The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ", + "desc": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.", "descriptions": { - "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.", - "check": "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1" + "default": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.", + "check": "Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding.", + "fix": "Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000075-GPOS-00043 ", - "gid": "V-238202 ", - "rid": "SV-238202r653781_rule ", - "stig_id": "UBTU-20-010007 ", - "fix_id": "F-41371r653780_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00228 ", + "gid": "V-238209 ", + "rid": "SV-238209r653802_rule ", + "stig_id": "UBTU-20-010016 ", + "fix_id": "F-41378r653801_fix ", "cci": [ - "CCI-000198" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", + "code": "control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238202.rb", + "ref": "./controls/SV-238209.rb", "line": 1 }, - "id": "SV-238202" + "id": "SV-238209" }, { - "title": "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ", - "desc": "Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.", - "check": "Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding.", - "fix": "Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000423-GPOS-00187 ", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" - ], - "gid": "V-238215 ", - "rid": "SV-238215r853406_rule ", - "stig_id": "UBTU-20-010042 ", - "fix_id": "F-41384r653819_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238256 ", + "rid": "SV-238256r653943_rule ", + "stig_id": "UBTU-20-010140 ", + "fix_id": "F-41425r653942_fix ", "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002422" + "CCI-000172" ], "nist": [ - "SC-8", - "SC-8 (2)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n tag 'host', 'container'\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238215.rb", + "ref": "./controls/SV-238256.rb", "line": 1 }, - "id": "SV-238215" + "id": "SV-238256" }, { - "title": "The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ", - "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.", + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.", - "check": "Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding.", - "fix": "Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service" + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000356-GPOS-00144 ", - "gid": "V-238357 ", - "rid": "SV-238357r853432_rule ", - "stig_id": "UBTU-20-010436 ", - "fix_id": "F-41526r654245_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238242 ", + "rid": "SV-238242r853420_rule ", + "stig_id": "UBTU-20-010104 ", + "fix_id": "F-41411r653900_fix ", "cci": [ - "CCI-002046" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "AU-8 (1) (b)" + "AC-2 (4)", + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n tag 'host', 'container'\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238357.rb", + "ref": "./controls/SV-238242.rb", "line": 1 }, - "id": "SV-238357" + "id": "SV-238242" }, { - "title": "The Ubuntu operating system must initiate session audits at system start-up. ", - "desc": "If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.", + "title": "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.", "descriptions": { - "default": "If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.", - "check": "Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding.", - "fix": "Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub" + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.", + "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000254-GPOS-00095 ", - "gid": "V-238299 ", - "rid": "SV-238299r654072_rule ", - "stig_id": "UBTU-20-010198 ", - "fix_id": "F-41468r654071_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238380 ", + "rid": "SV-238380r832974_rule ", + "stig_id": "UBTU-20-010460 ", + "fix_id": "F-41549r832973_fix ", "cci": [ - "CCI-001464" + "CCI-000366" ], "nist": [ - "AU-14 (1)" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n", + "code": "control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238299.rb", + "ref": "./controls/SV-238380.rb", "line": 1 }, - "id": "SV-238299" + "id": "SV-238380" }, { - "title": "The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ", - "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).", + "title": "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ", + "desc": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).", - "check": "If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding.", - "fix": "If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service" + "default": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding.", + "fix": "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000355-GPOS-00143 ", - "gid": "V-238356 ", - "rid": "SV-238356r853431_rule ", - "stig_id": "UBTU-20-010435 ", - "fix_id": "F-41525r808491_fix ", + "gtitle": "SRG-OS-000023-GPOS-00006 ", + "gid": "V-238198 ", + "rid": "SV-238198r653769_rule ", + "stig_id": "UBTU-20-010003 ", + "fix_id": "F-41367r653768_fix ", "cci": [ - "CCI-001891" + "CCI-000048" ], "nist": [ - "AU-8 (1) (a)" + "AC-8 a" ], "host": null, "container": null }, - "code": "control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n tag 'host', 'container'\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", + "code": "control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host', 'container'\n\n expected_banner_text = input('banner_text')\n clean_banner = expected_banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n actual_banner_text = parse_config_file('/etc/gdm3/greeter.dconf-defaults').params['org/gnome/login-screen']['banner-message-text']\n clean_actual_banner = actual_banner_text.gsub(/[\\r\\n\\s]/, '').gsub(/\\\\n/, '').gsub(/'/, '')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { clean_actual_banner }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238356.rb", + "ref": "./controls/SV-238198.rb", "line": 1 }, - "id": "SV-238356" + "id": "SV-238198" }, { - "title": "The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ", + "desc": "If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.", + "check": "To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding.", + "fix": "To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-238286 ", - "rid": "SV-238286r654033_rule ", - "stig_id": "UBTU-20-010170 ", - "fix_id": "F-41455r654032_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000359-GPOS-00146 ", + "gid": "V-238308 ", + "rid": "SV-238308r853426_rule ", + "stig_id": "UBTU-20-010230 ", + "fix_id": "F-41477r654098_fix ", "cci": [ - "CCI-000172" + "CCI-001890" ], "nist": [ - "AU-12 c" + "AU-8 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n tag 'host', 'container'\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match /UTC|GMT/ }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238286.rb", + "ref": "./controls/SV-238308.rb", "line": 1 }, - "id": "SV-238286" + "id": "SV-238308" }, { - "title": "The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ", - "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "title": "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", - "check": "Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding.", - "fix": "Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*" + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000057-GPOS-00027 ", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-238246 ", - "rid": "SV-238246r653913_rule ", - "stig_id": "UBTU-20-010123 ", - "fix_id": "F-41415r653912_fix ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238341 ", + "rid": "SV-238341r654198_rule ", + "stig_id": "UBTU-20-010420 ", + "fix_id": "F-41510r654197_fix ", "cci": [ - "CCI-000162" + "CCI-001314" ], "nist": [ - "AU-9 a" + "SI-11 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238246.rb", + "ref": "./controls/SV-238341.rb", "line": 1 }, - "id": "SV-238246" + "id": "SV-238341" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must prevent direct login into the root account. ", + "desc": "To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "default": "To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.", + "check": "Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238288 ", - "rid": "SV-238288r833012_rule ", - "stig_id": "UBTU-20-010172 ", - "fix_id": "F-41457r832949_fix ", + "gtitle": "SRG-OS-000109-GPOS-00056 ", + "gid": "V-238329 ", + "rid": "SV-238329r654162_rule ", + "stig_id": "UBTU-20-010408 ", + "fix_id": "F-41498r654161_fix ", "cci": [ - "CCI-000172" + "CCI-000770" ], "nist": [ - "AU-12 c" + "IA-2 (5)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n tag 'host', 'container'\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238288.rb", + "ref": "./controls/SV-238329.rb", "line": 1 }, - "id": "SV-238288" + "id": "SV-238329" }, { - "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "title": "The Ubuntu operating system must prevent the use of dictionary words for passwords. ", + "desc": "If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", - "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", - "fix": "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1" + "default": "If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.", + "check": "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000070-GPOS-00038 ", - "gid": "V-238222 ", - "rid": "SV-238222r653841_rule ", - "stig_id": "UBTU-20-010051 ", - "fix_id": "F-41391r653840_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00225 ", + "gid": "V-238227 ", + "rid": "SV-238227r653856_rule ", + "stig_id": "UBTU-20-010056 ", + "fix_id": "F-41396r653855_fix ", "cci": [ - "CCI-000193" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238222.rb", + "ref": "./controls/SV-238227.rb", "line": 1 }, - "id": "SV-238222" + "id": "SV-238227" }, { - "title": "The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ", - "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "title": "The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", - "check": "Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding.", - "fix": "Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP" + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.", + "check": "Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding.", + "fix": "Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000057-GPOS-00027 ", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-238247 ", - "rid": "SV-238247r832947_rule ", - "stig_id": "UBTU-20-010124 ", - "fix_id": "F-41416r832946_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000356-GPOS-00144 ", + "gid": "V-238357 ", + "rid": "SV-238357r853432_rule ", + "stig_id": "UBTU-20-010436 ", + "fix_id": "F-41526r654245_fix ", "cci": [ - "CCI-000162" + "CCI-002046" ], "nist": [ - "AU-9 a" + "AU-8 (1) (b)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n admin_groups = input('admin_groups')\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should be_in admin_groups }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n tag 'host', 'container'\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238247.rb", + "ref": "./controls/SV-238357.rb", "line": 1 }, - "id": "SV-238247" + "id": "SV-238357" }, { - "title": "The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.", + "title": "The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ", + "desc": "The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system's needs.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.", - "check": "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"." + "default": "The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system's needs.", + "check": "Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000480-GPOS-00225 ", - "gid": "V-238228 ", - "rid": "SV-238228r653859_rule ", - "stig_id": "UBTU-20-010057 ", - "fix_id": "F-41397r653858_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238219 ", + "rid": "SV-238219r858533_rule ", + "stig_id": "UBTU-20-010048 ", + "fix_id": "F-41388r653831_fix ", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3$' }\n end\n end\nend\n", + "code": "control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system's needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238228.rb", + "ref": "./controls/SV-238219.rb", "line": 1 }, - "id": "SV-238228" + "id": "SV-238219" }, { - "title": "The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ", - "desc": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.", + "title": "The Ubuntu operating system library files must have mode 0755 or less permissive. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.", - "check": "Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding.", - "fix": "Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true" + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding.", + "fix": "Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000028-GPOS-00009 ", - "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000029-GPOS-00010" - ], - "gid": "V-238199 ", - "rid": "SV-238199r653772_rule ", - "stig_id": "UBTU-20-010004 ", - "fix_id": "F-41368r653771_fix ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238347 ", + "rid": "SV-238347r654216_rule ", + "stig_id": "UBTU-20-010426 ", + "fix_id": "F-41516r654215_fix ", "cci": [ - "CCI-000056", - "CCI-000057" + "CCI-001499" ], "nist": [ - "AC-11 b", - "AC-11 a" + "CM-5 (6)" ], "host": null, "container": null }, - "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled').stdout.strip do\n it { should cmp true }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238199.rb", + "ref": "./controls/SV-238347.rb", "line": 1 }, - "id": "SV-238199" + "id": "SV-238347" }, { - "title": "The Ubuntu operating system must be configured to use TCP syncookies. ", - "desc": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.", + "title": "The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", "descriptions": { - "default": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.", - "check": "Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding.", - "fix": "Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1" + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding.", + "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000142-GPOS-00071 ", - "gid": "V-238333 ", - "rid": "SV-238333r654174_rule ", - "stig_id": "UBTU-20-010412 ", - "fix_id": "F-41502r654173_fix ", + "gtitle": "SRG-OS-000258-GPOS-00099 ", + "gid": "V-238344 ", + "rid": "SV-238344r654207_rule ", + "stig_id": "UBTU-20-010423 ", + "fix_id": "F-41513r654206_fix ", "cci": [ - "CCI-001095" + "CCI-001495" ], "nist": [ - "SC-5 (2)" + "AU-9" ], "host": null, "container": null }, - "code": "control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n tag 'host', 'container'\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", + "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238333.rb", + "ref": "./controls/SV-238344.rb", "line": 1 }, - "id": "SV-238333" + "id": "SV-238344" }, { - "title": "The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ", - "desc": "In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.", - "check": "Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", - "fix": "Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000326-GPOS-00126 ", - "satisfies": [ - "SRG-OS-000326-GPOS-00126", - "SRG-OS-000327-GPOS-00127" - ], - "gid": "V-238304 ", - "rid": "SV-238304r853422_rule ", - "stig_id": "UBTU-20-010211 ", - "fix_id": "F-41473r654086_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238290 ", + "rid": "SV-238290r654045_rule ", + "stig_id": "UBTU-20-010174 ", + "fix_id": "F-41459r654044_fix ", "cci": [ - "CCI-002233", - "CCI-002234" + "CCI-000172" ], "nist": [ - "AC-6 (8)", - "AC-6 (9)" + "AU-12 c" ], "host": null }, - "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238304.rb", + "ref": "./controls/SV-238290.rb", "line": 1 }, - "id": "SV-238304" + "id": "SV-238290" }, { - "title": "The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "title": "The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ", + "desc": "Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.", + "check": "Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding.", + "fix": "Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gtitle": "SRG-OS-000122-GPOS-00063 ", "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206" + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000475-GPOS-00220" ], - "gid": "V-238258 ", - "rid": "SV-238258r808474_rule ", - "stig_id": "UBTU-20-010142 ", - "fix_id": "F-41427r808473_fix ", + "gid": "V-238298 ", + "rid": "SV-238298r853421_rule ", + "stig_id": "UBTU-20-010182 ", + "fix_id": "F-41467r654068_fix ", "cci": [ - "CCI-000172" + "CCI-000130", + "CCI-000131", + "CCI-000132", + "CCI-000133", + "CCI-000134", + "CCI-000135", + "CCI-000154", + "CCI-000158", + "CCI-000169", + "CCI-000172", + "CCI-001875", + "CCI-001876", + "CCI-001877", + "CCI-001878", + "CCI-001879", + "CCI-001880", + "CCI-001881", + "CCI-001882", + "CCI-001914" ], "nist": [ - "AU-12 c" + "AU-3 a", + "AU-3 b", + "AU-3 c", + "AU-3 d", + "AU-3 e", + "AU-3 (1)", + "AU-6 (4)", + "AU-7 (1)", + "AU-12 a", + "AU-12 c", + "AU-7 a", + "AU-7 b", + "AU-12 (3)" ], "host": null }, - "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238258.rb", + "ref": "./controls/SV-238298.rb", "line": 1 }, - "id": "SV-238258" + "id": "SV-238298" }, { - "title": "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ", - "desc": "Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.", - "check": "Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding.", - "fix": "Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000420-GPOS-00186 ", - "gid": "V-238367 ", - "rid": "SV-238367r853444_rule ", - "stig_id": "UBTU-20-010446 ", - "fix_id": "F-41536r654275_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238281 ", + "rid": "SV-238281r654018_rule ", + "stig_id": "UBTU-20-010165 ", + "fix_id": "F-41450r654017_fix ", "cci": [ - "CCI-002385" + "CCI-000172" ], "nist": [ - "SC-5 a" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n tag 'host', 'container'\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", + "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238367.rb", + "ref": "./controls/SV-238281.rb", "line": 1 }, - "id": "SV-238367" + "id": "SV-238281" }, { - "title": "The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ", - "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ", + "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding.", - "fix": "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log" + "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "check": "Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding.", + "fix": "Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000206-GPOS-00084 ", - "gid": "V-238338 ", - "rid": "SV-238338r654189_rule ", - "stig_id": "UBTU-20-010417 ", - "fix_id": "F-41507r654188_fix ", + "gtitle": "SRG-OS-000297-GPOS-00115 ", + "gid": "V-238355 ", + "rid": "SV-238355r853430_rule ", + "stig_id": "UBTU-20-010434 ", + "fix_id": "F-41524r654239_fix ", "cci": [ - "CCI-001314" + "CCI-002314" ], "nist": [ - "SI-11 b" + "AC-17 (1)" ], "host": null, "container": null }, - "code": "control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", + "code": "control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238338.rb", + "ref": "./controls/SV-238355.rb", "line": 1 }, - "id": "SV-238338" + "id": "SV-238355" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ", + "title": "The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.", + "descriptions": { + "default": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.", + "check": "Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding.", + "fix": "Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000030-GPOS-00011 ", + "satisfies": [ + "SRG-OS-000030-GPOS-00011", + "SRG-OS-000031-GPOS-00012" + ], + "gid": "V-238200 ", + "rid": "SV-238200r653775_rule ", + "stig_id": "UBTU-20-010005 ", + "fix_id": "F-41369r653774_fix ", + "cci": [ + "CCI-000058", + "CCI-000060" + ], + "nist": [ + "AC-11 a", + "AC-11 (1)" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n tag 'host', 'container'\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238200.rb", + "line": 1 + }, + "id": "SV-238200" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238293 ", - "rid": "SV-238293r654054_rule ", - "stig_id": "UBTU-20-010177 ", - "fix_id": "F-41462r654053_fix ", + "gid": "V-238257 ", + "rid": "SV-238257r653946_rule ", + "stig_id": "UBTU-20-010141 ", + "fix_id": "F-41426r653945_fix ", "cci": [ "CCI-000172" ], @@ -1951,342 +2007,300 @@ ], "host": null }, - "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238293.rb", + "ref": "./controls/SV-238257.rb", "line": 1 }, - "id": "SV-238293" + "id": "SV-238257" }, { - "title": "The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ", - "desc": "Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.", + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", "descriptions": { - "default": "Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.", - "check": "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;" + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000205-GPOS-00083 ", - "gid": "V-238337 ", - "rid": "SV-238337r654186_rule ", - "stig_id": "UBTU-20-010416 ", - "fix_id": "F-41506r654185_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000071-GPOS-00039 ", + "gid": "V-238223 ", + "rid": "SV-238223r653844_rule ", + "stig_id": "UBTU-20-010052 ", + "fix_id": "F-41392r653843_fix ", "cci": [ - "CCI-001312" + "CCI-000194" ], "nist": [ - "SI-11 a" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n tag 'host', 'container'\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n", + "code": "control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238337.rb", + "ref": "./controls/SV-238223.rb", "line": 1 }, - "id": "SV-238337" + "id": "SV-238223" }, { - "title": "The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ", - "desc": "If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.", + "title": "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ", + "desc": "When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.", "descriptions": { - "default": "If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.", - "check": "Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", - "fix": "Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.", + "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", + "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000392-GPOS-00172 ", - "satisfies": [ - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-238309 ", - "rid": "SV-238309r853427_rule ", - "stig_id": "UBTU-20-010244 ", - "fix_id": "F-41478r654101_fix ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238220 ", + "rid": "SV-238220r858535_rule ", + "stig_id": "UBTU-20-010049 ", + "fix_id": "F-41389r653834_fix ", "cci": [ - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238309.rb", + "ref": "./controls/SV-238220.rb", "line": 1 }, - "id": "SV-238309" + "id": "SV-238220" }, { - "title": "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ", - "desc": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.", + "title": "The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.", - "check": "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000424-GPOS-00188 ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", "satisfies": [ - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000394-GPOS-00174" + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206" ], - "gid": "V-238217 ", - "rid": "SV-238217r860821_rule ", - "stig_id": "UBTU-20-010044 ", - "fix_id": "F-41386r653825_fix ", + "gid": "V-238258 ", + "rid": "SV-238258r808474_rule ", + "stig_id": "UBTU-20-010142 ", + "fix_id": "F-41427r808473_fix ", "cci": [ - "CCI-000068", - "CCI-002421", - "CCI-003123" + "CCI-000172" ], "nist": [ - "AC-17 (2)", - "SC-8 (1)", - "MA-4 (6)" + "AU-12 c" ], "host": null }, - "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n", + "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238217.rb", + "ref": "./controls/SV-238258.rb", "line": 1 }, - "id": "SV-238217" + "id": "SV-238258" }, { - "title": "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ", - "desc": "Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.", - "check": "Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding.", - "fix": "Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000437-GPOS-00194 ", - "gid": "V-238370 ", - "rid": "SV-238370r853447_rule ", - "stig_id": "UBTU-20-010449 ", - "fix_id": "F-41539r654284_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238280 ", + "rid": "SV-238280r654015_rule ", + "stig_id": "UBTU-20-010164 ", + "fix_id": "F-41449r654014_fix ", "cci": [ - "CCI-002617" + "CCI-000172" ], "nist": [ - "SI-2 (6)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag 'host', 'container'\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n", + "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238370.rb", + "ref": "./controls/SV-238280.rb", "line": 1 }, - "id": "SV-238370" + "id": "SV-238280" }, { - "title": "The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ", - "desc": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.", + "title": "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.", - "check": "Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding.", - "fix": "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service" + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000126-GPOS-00066 ", - "gid": "V-238212 ", - "rid": "SV-238212r858521_rule ", - "stig_id": "UBTU-20-010036 ", - "fix_id": "F-41381r653810_fix ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238340 ", + "rid": "SV-238340r654195_rule ", + "stig_id": "UBTU-20-010419 ", + "fix_id": "F-41509r654194_fix ", "cci": [ - "CCI-000879" + "CCI-001314" ], "nist": [ - "MA-4 e" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n tag 'host', 'container'\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n", + "code": "control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238212.rb", + "ref": "./controls/SV-238340.rb", "line": 1 }, - "id": "SV-238212" + "id": "SV-238340" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.", + "descriptions": { + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding.", + "fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238292 ", - "rid": "SV-238292r654051_rule ", - "stig_id": "UBTU-20-010176 ", - "fix_id": "F-41461r654050_fix ", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ], - "host": null - }, - "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238292.rb", - "line": 1 - }, - "id": "SV-238292" - }, - { - "title": "The Ubuntu operating system must not have accounts configured with blank or null passwords. ", - "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", - "descriptions": { - "default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", - "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", - "fix": "Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]" - }, - "impact": 0.7, - "refs": [], - "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-251503 ", - "rid": "SV-251503r808506_rule ", - "stig_id": "UBTU-20-010462 ", - "fix_id": "F-54892r808505_fix ", + "gtitle": "SRG-OS-000447-GPOS-00201 ", + "gid": "V-238372 ", + "rid": "SV-238372r853449_rule ", + "stig_id": "UBTU-20-010451 ", + "fix_id": "F-41541r654290_fix ", "cci": [ - "CCI-000366" + "CCI-002702" ], "nist": [ - "CM-6 b" + "SI-6 d" ], "host": null, "container": null }, - "code": "control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n", + "code": "control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-251503.rb", + "ref": "./controls/SV-238372.rb", "line": 1 }, - "id": "SV-251503" + "id": "SV-238372" }, { - "title": "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ", - "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000206-GPOS-00084 ", - "gid": "V-238341 ", - "rid": "SV-238341r654198_rule ", - "stig_id": "UBTU-20-010420 ", - "fix_id": "F-41510r654197_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238293 ", + "rid": "SV-238293r654054_rule ", + "stig_id": "UBTU-20-010177 ", + "fix_id": "F-41462r654053_fix ", "cci": [ - "CCI-001314" + "CCI-000172" ], "nist": [ - "SI-11 b" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", + "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238341.rb", + "ref": "./controls/SV-238293.rb", "line": 1 }, - "id": "SV-238341" + "id": "SV-238293" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "title": "The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ", + "desc": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", - "check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load" + "default": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "check": "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding.", + "fix": "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000471-GPOS-00216" - ], - "gid": "V-238295 ", - "rid": "SV-238295r808486_rule ", - "stig_id": "UBTU-20-010179 ", - "fix_id": "F-41464r808485_fix ", + "gtitle": "SRG-OS-000023-GPOS-00006 ", + "gid": "V-238197 ", + "rid": "SV-238197r653766_rule ", + "stig_id": "UBTU-20-010002 ", + "fix_id": "F-41366r653765_fix ", "cci": [ - "CCI-000172" + "CCI-000048" ], "nist": [ - "AU-12 c" + "AC-8 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/gdm3/greeter.dconf-defaults').stdout.strip }\n it { should match(/banner-message-enable\\s*=\\s*true/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238295.rb", + "ref": "./controls/SV-238197.rb", "line": 1 }, - "id": "SV-238295" + "id": "SV-238197" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ", + "title": "The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238254 ", - "rid": "SV-238254r653937_rule ", - "stig_id": "UBTU-20-010138 ", - "fix_id": "F-41423r653936_fix ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-238285 ", + "rid": "SV-238285r654030_rule ", + "stig_id": "UBTU-20-010169 ", + "fix_id": "F-41454r654029_fix ", "cci": [ "CCI-000172" ], @@ -2295,102 +2309,96 @@ ], "host": null }, - "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238254.rb", + "ref": "./controls/SV-238285.rb", "line": 1 }, - "id": "SV-238254" + "id": "SV-238285" }, { - "title": "The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ", - "desc": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.", + "title": "The Ubuntu operating system must not allow unattended or automatic login via SSH. ", + "desc": "Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.", - "check": "Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding.", - "fix": "Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock" + "default": "Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.", + "check": "Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000030-GPOS-00011 ", - "satisfies": [ - "SRG-OS-000030-GPOS-00011", - "SRG-OS-000031-GPOS-00012" - ], - "gid": "V-238200 ", - "rid": "SV-238200r653775_rule ", - "stig_id": "UBTU-20-010005 ", - "fix_id": "F-41369r653774_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00229 ", + "gid": "V-238218 ", + "rid": "SV-238218r858531_rule ", + "stig_id": "UBTU-20-010047 ", + "fix_id": "F-41387r653828_fix ", "cci": [ - "CCI-000058", - "CCI-000060" + "CCI-000366" ], "nist": [ - "AC-11 a", - "AC-11 (1)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n tag 'host', 'container'\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238200.rb", + "ref": "./controls/SV-238218.rb", "line": 1 }, - "id": "SV-238200" + "id": "SV-238218" }, { - "title": "The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ", - "desc": "If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.", + "title": "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.", - "check": "To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding.", - "fix": "To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]" + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000359-GPOS-00146 ", - "gid": "V-238308 ", - "rid": "SV-238308r853426_rule ", - "stig_id": "UBTU-20-010230 ", - "fix_id": "F-41477r654098_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238343 ", + "rid": "SV-238343r654204_rule ", + "stig_id": "UBTU-20-010422 ", + "fix_id": "F-41512r654203_fix ", "cci": [ - "CCI-001890" + "CCI-001314" ], "nist": [ - "AU-8 b" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n tag 'host', 'container'\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match /UTC|GMT/ }\n end\nend\n", + "code": "control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238308.rb", + "ref": "./controls/SV-238343.rb", "line": 1 }, - "id": "SV-238308" + "id": "SV-238343" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load" + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238257 ", - "rid": "SV-238257r653946_rule ", - "stig_id": "UBTU-20-010141 ", - "fix_id": "F-41426r653945_fix ", + "gid": "V-238283 ", + "rid": "SV-238283r654024_rule ", + "stig_id": "UBTU-20-010167 ", + "fix_id": "F-41452r654023_fix ", "cci": [ "CCI-000172" ], @@ -2399,393 +2407,429 @@ ], "host": null }, - "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238257.rb", + "ref": "./controls/SV-238283.rb", "line": 1 }, - "id": "SV-238257" + "id": "SV-238283" }, { - "title": "The Ubuntu operating system must not allow unattended or automatic login via SSH. ", - "desc": "Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.", + "title": "The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ", + "desc": "Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.", - "check": "Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service" + "default": "Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.", + "check": "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding.", + "fix": "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000480-GPOS-00229 ", - "gid": "V-238218 ", - "rid": "SV-238218r858531_rule ", - "stig_id": "UBTU-20-010047 ", - "fix_id": "F-41387r653828_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000373-GPOS-00156 ", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157" + ], + "gid": "V-238208 ", + "rid": "SV-238208r853405_rule ", + "stig_id": "UBTU-20-010014 ", + "fix_id": "F-41377r653798_fix ", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b" + "IA-11" ], "host": null, "container": null }, - "code": "control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", + "code": "control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host', 'container'\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238218.rb", + "ref": "./controls/SV-238208.rb", "line": 1 }, - "id": "SV-238218" + "id": "SV-238208" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ", + "desc": "In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" + "default": "In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.", + "check": "Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding.", + "fix": "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "satisfies": [ - "SRG-OS-000477-GPOS-00222" - ], - "gid": "V-238297 ", - "rid": "SV-238297r802387_rule ", - "stig_id": "UBTU-20-010181 ", - "fix_id": "F-41466r654065_fix ", + "gtitle": "SRG-OS-000096-GPOS-00050 ", + "gid": "V-238328 ", + "rid": "SV-238328r654159_rule ", + "stig_id": "UBTU-20-010407 ", + "fix_id": "F-41497r654158_fix ", "cci": [ - "CCI-000172" + "CCI-000382" ], "nist": [ - "AU-12 c" + "CM-7 b" ], "host": null }, - "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238297.rb", + "ref": "./controls/SV-238328.rb", "line": 1 }, - "id": "SV-238297" + "id": "SV-238328" }, { - "title": "The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ", - "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "title": "The Ubuntu operating system must not have the rsh-server package installed. ", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", - "check": "Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding.", - "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;" + "default": "It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "check": "Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000258-GPOS-00099 ", - "gid": "V-238346 ", - "rid": "SV-238346r654213_rule ", - "stig_id": "UBTU-20-010425 ", - "fix_id": "F-41515r654212_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000095-GPOS-00049 ", + "gid": "V-238327 ", + "rid": "SV-238327r654156_rule ", + "stig_id": "UBTU-20-010406 ", + "fix_id": "F-41496r654155_fix ", "cci": [ - "CCI-001495" + "CCI-000381" ], "nist": [ - "AU-9" + "CM-7 a" ], "host": null, "container": null }, - "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host', 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238346.rb", + "ref": "./controls/SV-238327.rb", "line": 1 }, - "id": "SV-238346" + "id": "SV-238327" }, { - "title": "The Ubuntu operating system must prevent direct login into the root account. ", - "desc": "To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.", + "title": "The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ", + "desc": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.", "descriptions": { - "default": "To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.", - "check": "Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding.", - "fix": "Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root" + "default": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.", + "check": "Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding.", + "fix": "Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000109-GPOS-00056 ", - "gid": "V-238329 ", - "rid": "SV-238329r654162_rule ", - "stig_id": "UBTU-20-010408 ", - "fix_id": "F-41498r654161_fix ", + "gtitle": "SRG-OS-000279-GPOS-00109 ", + "gid": "V-238207 ", + "rid": "SV-238207r853404_rule ", + "stig_id": "UBTU-20-010013 ", + "fix_id": "F-41376r653795_fix ", "cci": [ - "CCI-000770" + "CCI-002361" ], "nist": [ - "IA-2 (5)" + "AC-12" ], "host": null, "container": null }, - "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n tag 'host', 'container'\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n", + "code": "control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n tag 'host', 'container'\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238329.rb", + "ref": "./controls/SV-238207.rb", "line": 1 }, - "id": "SV-238329" + "id": "SV-238207" }, { - "title": "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ", - "desc": "If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.", + "title": "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ", + "desc": "Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.", "descriptions": { - "default": "If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.", - "check": "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available.", - "fix": "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity." + "default": "Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.", + "check": "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000" }, "impact": 0.3, "refs": [], "tags": { "severity": "low ", - "gtitle": "SRG-OS-000343-GPOS-00134 ", - "gid": "V-238307 ", - "rid": "SV-238307r853425_rule ", - "stig_id": "UBTU-20-010217 ", - "fix_id": "F-41476r654095_fix ", + "gtitle": "SRG-OS-000480-GPOS-00226 ", + "gid": "V-238237 ", + "rid": "SV-238237r653886_rule ", + "stig_id": "UBTU-20-010075 ", + "fix_id": "F-41406r653885_fix ", "cci": [ - "CCI-001855" + "CCI-000366" ], "nist": [ - "AU-5 (1)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238307.rb", + "ref": "./controls/SV-238237.rb", "line": 1 }, - "id": "SV-238307" + "id": "SV-238237" }, { - "title": "The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ", - "desc": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.", + "title": "The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ", + "desc": "In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.", "descriptions": { - "default": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding.", - "fix": "Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide" + "default": "In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.", + "check": "Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding.", + "fix": "Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000445-GPOS-00199 ", - "gid": "V-238371 ", - "rid": "SV-238371r853448_rule ", - "stig_id": "UBTU-20-010450 ", - "fix_id": "F-41540r654287_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000341-GPOS-00132 ", + "gid": "V-238305 ", + "rid": "SV-238305r853423_rule ", + "stig_id": "UBTU-20-010215 ", + "fix_id": "F-41474r654089_fix ", "cci": [ - "CCI-002696" + "CCI-001849" ], "nist": [ - "SI-6 a" + "AU-4" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host', 'container'\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238371.rb", + "ref": "./controls/SV-238305.rb", "line": 1 }, - "id": "SV-238371" + "id": "SV-238305" }, { - "title": "The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ", - "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "title": "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ", + "desc": "Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.", "descriptions": { - "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", - "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding.", - "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" + "default": "Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.", + "check": "Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding.", + "fix": "Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000063-GPOS-00032 ", - "gid": "V-238249 ", - "rid": "SV-238249r653922_rule ", - "stig_id": "UBTU-20-010133 ", - "fix_id": "F-41418r653921_fix ", + "gtitle": "SRG-OS-000437-GPOS-00194 ", + "gid": "V-238370 ", + "rid": "SV-238370r853447_rule ", + "stig_id": "UBTU-20-010449 ", + "fix_id": "F-41539r654284_fix ", "cci": [ - "CCI-000171" + "CCI-002617" ], "nist": [ - "AU-12 b" + "SI-2 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n", + "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag 'host', 'container'\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238249.rb", + "ref": "./controls/SV-238370.rb", "line": 1 }, - "id": "SV-238249" + "id": "SV-238370" }, { - "title": "The Ubuntu operating system must enforce a minimum 15-character password length. ", - "desc": "The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.", + "title": "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ", + "desc": "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.", "descriptions": { - "default": "The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.", - "check": "Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15" + "default": "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.", + "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding.", + "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000078-GPOS-00046 ", - "gid": "V-238225 ", - "rid": "SV-238225r832942_rule ", - "stig_id": "UBTU-20-010054 ", - "fix_id": "F-41394r653849_fix ", + "gtitle": "SRG-OS-000184-GPOS-00078 ", + "gid": "V-238334 ", + "rid": "SV-238334r654177_rule ", + "stig_id": "UBTU-20-010413 ", + "fix_id": "F-41503r654176_fix ", "cci": [ - "CCI-000205" + "CCI-001190" ], "nist": [ - "IA-5 (1) (a)" + "SC-24" ], "host": null, "container": null }, - "code": "control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n tag 'host', 'container'\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238225.rb", + "ref": "./controls/SV-238334.rb", "line": 1 }, - "id": "SV-238225" + "id": "SV-238334" }, { - "title": "The Ubuntu operating system must prevent the use of dictionary words for passwords. ", - "desc": "If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.", + "title": "The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ", + "desc": "It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.", "descriptions": { - "default": "If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.", - "check": "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1" + "default": "It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.", + "check": "Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding.", + "fix": "Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000480-GPOS-00225 ", - "gid": "V-238227 ", - "rid": "SV-238227r653856_rule ", - "stig_id": "UBTU-20-010056 ", - "fix_id": "F-41396r653855_fix ", + "gtitle": "SRG-OS-000047-GPOS-00023 ", + "gid": "V-238244 ", + "rid": "SV-238244r653907_rule ", + "stig_id": "UBTU-20-010118 ", + "fix_id": "F-41413r653906_fix ", "cci": [ - "CCI-000366" + "CCI-000140" ], "nist": [ - "CM-6 b" + "AU-5 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238227.rb", + "ref": "./controls/SV-238244.rb", "line": 1 }, - "id": "SV-238227" + "id": "SV-238244" }, { - "title": "The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ", - "desc": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "title": "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ", + "desc": "Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", - "check": "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding.", - "fix": "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3" + "default": "Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.", + "check": "Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding.", + "fix": "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS." + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000396-GPOS-00176 ", + "satisfies": [ + "SRG-OS-000396-GPOS-00176", + "SRG-OS-000478-GPOS-00223" + ], + "gid": "V-238363 ", + "rid": "SV-238363r853438_rule ", + "stig_id": "UBTU-20-010442 ", + "fix_id": "F-41532r654263_fix ", + "cci": [ + "CCI-002450" + ], + "nist": [ + "SC-13 b" + ], + "host": null + }, + "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238363.rb", + "line": 1 + }, + "id": "SV-238363" + }, + { + "title": "The Ubuntu operating system must configure the /var/log directory to be owned by root. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding.", + "fix": "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000023-GPOS-00006 ", - "gid": "V-238197 ", - "rid": "SV-238197r653766_rule ", - "stig_id": "UBTU-20-010002 ", - "fix_id": "F-41366r653765_fix ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238339 ", + "rid": "SV-238339r654192_rule ", + "stig_id": "UBTU-20-010418 ", + "fix_id": "F-41508r654191_fix ", "cci": [ - "CCI-000048" + "CCI-001314" ], "nist": [ - "AC-8 a" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/gdm3/greeter.dconf-defaults').stdout.strip }\n it { should match(/banner-message-enable\\s*=\\s*true/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238197.rb", + "ref": "./controls/SV-238339.rb", "line": 1 }, - "id": "SV-238197" + "id": "SV-238339" }, { - "title": "The Ubuntu operating system library directories must be group-owned by root. ", - "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.", "descriptions": { - "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding.", - "fix": "Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;" + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.", + "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238352 ", - "rid": "SV-238352r654231_rule ", - "stig_id": "UBTU-20-010431 ", - "fix_id": "F-41521r654230_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238379 ", + "rid": "SV-238379r654312_rule ", + "stig_id": "UBTU-20-010459 ", + "fix_id": "F-41548r654311_fix ", "cci": [ - "CCI-001499" + "CCI-000366" ], "nist": [ - "CM-5 (6)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238352.rb", + "ref": "./controls/SV-238379.rb", "line": 1 }, - "id": "SV-238352" + "id": "SV-238379" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + "check": "Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238280 ", - "rid": "SV-238280r654015_rule ", - "stig_id": "UBTU-20-010164 ", - "fix_id": "F-41449r654014_fix ", + "gid": "V-238255 ", + "rid": "SV-238255r653940_rule ", + "stig_id": "UBTU-20-010139 ", + "fix_id": "F-41424r653939_fix ", "cci": [ "CCI-000172" ], @@ -2794,257 +2838,285 @@ ], "host": null }, - "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238280.rb", + "ref": "./controls/SV-238255.rb", "line": 1 }, - "id": "SV-238280" + "id": "SV-238255" }, { - "title": "The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ", + "desc": "If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.", + "check": "Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding.", + "fix": "Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000472-GPOS-00217 ", - "gid": "V-238315 ", - "rid": "SV-238315r654120_rule ", - "stig_id": "UBTU-20-010277 ", - "fix_id": "F-41484r654119_fix ", + "gtitle": "SRG-OS-000059-GPOS-00029 ", + "gid": "V-238248 ", + "rid": "SV-238248r653919_rule ", + "stig_id": "UBTU-20-010128 ", + "fix_id": "F-41417r653918_fix ", "cci": [ - "CCI-000172" + "CCI-000164" ], "nist": [ - "AU-12 c" + "AU-9 a" ], "host": null }, - "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238315.rb", + "ref": "./controls/SV-238248.rb", "line": 1 }, - "id": "SV-238315" + "id": "SV-238248" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ", + "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238284 ", - "rid": "SV-238284r654027_rule ", - "stig_id": "UBTU-20-010168 ", - "fix_id": "F-41453r654026_fix ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238376 ", + "rid": "SV-238376r654303_rule ", + "stig_id": "UBTU-20-010456 ", + "fix_id": "F-41545r654302_fix ", "cci": [ - "CCI-000172" + "CCI-001499" ], "nist": [ - "AU-12 c" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238284.rb", + "ref": "./controls/SV-238376.rb", "line": 1 }, - "id": "SV-238284" + "id": "SV-238376" }, { - "title": "The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ", - "desc": "In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.", + "title": "The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.", "descriptions": { - "default": "In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.", - "check": "Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding.", - "fix": "Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint." + "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.", + "check": "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding.", + "fix": "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0" }, "impact": 0.3, "refs": [], "tags": { "severity": "low ", - "gtitle": "SRG-OS-000341-GPOS-00132 ", - "gid": "V-238305 ", - "rid": "SV-238305r853423_rule ", - "stig_id": "UBTU-20-010215 ", - "fix_id": "F-41474r654089_fix ", + "gtitle": "SRG-OS-000329-GPOS-00128 ", + "satisfies": [ + "SRG-OS-000329-GPOS-00128", + "SRG-OS-000021-GPOS-00005" + ], + "gid": "V-238235 ", + "rid": "SV-238235r853414_rule ", + "stig_id": "UBTU-20-010072 ", + "fix_id": "F-41404r802382_fix ", "cci": [ - "CCI-001849" + "CCI-000044", + "CCI-002238" ], "nist": [ - "AU-4" + "AC-7 a", + "AC-7 b" ], "host": null }, - "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238305.rb", + "ref": "./controls/SV-238235.rb", "line": 1 }, - "id": "SV-238305" + "id": "SV-238235" }, { - "title": "The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ", - "desc": "In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.", + "title": "The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ", + "desc": "If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.", "descriptions": { - "default": "In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.", - "check": "Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding.", - "fix": "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>" + "default": "If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.", + "check": "Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000096-GPOS-00050 ", - "gid": "V-238328 ", - "rid": "SV-238328r654159_rule ", - "stig_id": "UBTU-20-010407 ", - "fix_id": "F-41497r654158_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000072-GPOS-00040 ", + "gid": "V-238224 ", + "rid": "SV-238224r653847_rule ", + "stig_id": "UBTU-20-010053 ", + "fix_id": "F-41393r653846_fix ", "cci": [ - "CCI-000382" + "CCI-000195" ], "nist": [ - "CM-7 b" + "IA-5 (1) (b)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n", + "code": "control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238328.rb", + "ref": "./controls/SV-238224.rb", "line": 1 }, - "id": "SV-238328" + "id": "SV-238224" }, { - "title": "The Ubuntu operating system must monitor remote access methods. ", - "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "title": "The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).", - "check": "Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding.", - "fix": "Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000032-GPOS-00013 ", - "gid": "V-238324 ", - "rid": "SV-238324r832959_rule ", - "stig_id": "UBTU-20-010403 ", - "fix_id": "F-41493r832958_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-238287 ", + "rid": "SV-238287r654036_rule ", + "stig_id": "UBTU-20-010171 ", + "fix_id": "F-41456r654035_fix ", "cci": [ - "CCI-000067" + "CCI-000172" ], "nist": [ - "AC-17 (1)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", + "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238324.rb", + "ref": "./controls/SV-238287.rb", "line": 1 }, - "id": "SV-238324" + "id": "SV-238287" }, { - "title": "The Ubuntu operating system must be configured to preserve log records from failure events. ", - "desc": "Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.", + "title": "The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ", + "desc": "If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.", "descriptions": { - "default": "Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.", - "check": "Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding.", - "fix": "Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog" + "default": "If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.", + "check": "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding.", + "fix": "If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000269-GPOS-00103 ", - "gid": "V-238353 ", - "rid": "SV-238353r654234_rule ", - "stig_id": "UBTU-20-010432 ", - "fix_id": "F-41522r654233_fix ", + "gtitle": "SRG-OS-000002-GPOS-00002 ", + "gid": "V-238196 ", + "rid": "SV-238196r653763_rule ", + "stig_id": "UBTU-20-010000 ", + "fix_id": "F-41365r653762_fix ", "cci": [ - "CCI-001665" + "CCI-000016" ], "nist": [ - "SC-24" + "AC-2 (2)" ], "host": null, "container": null }, - "code": "control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n tag 'host', 'container'\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n tag 'host', 'container'\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238353.rb", + "ref": "./controls/SV-238196.rb", "line": 1 }, - "id": "SV-238353" + "id": "SV-238196" }, { - "title": "The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ", - "desc": "The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system's needs.", + "title": "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ", + "desc": "Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", "descriptions": { - "default": "The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system's needs.", - "check": "Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding.", - "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service" + "default": "Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding.", + "fix": "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-238219 ", - "rid": "SV-238219r858533_rule ", - "stig_id": "UBTU-20-010048 ", - "fix_id": "F-41388r653831_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000228-GPOS-00088 ", + "satisfies": [ + "SRG-OS-000228-GPOS-00088", + "SRG-OS-000023-GPOS-00006" + ], + "gid": "V-238214 ", + "rid": "SV-238214r858525_rule ", + "stig_id": "UBTU-20-010038 ", + "fix_id": "F-41383r653816_fix ", "cci": [ - "CCI-000366" + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "CM-6 b" + "AC-8 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 3" ], "host": null, "container": null }, - "code": "control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system's needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", + "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n tag 'host', 'container'\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238219.rb", + "ref": "./controls/SV-238214.rb", "line": 1 }, - "id": "SV-238219" + "id": "SV-238214" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.", + "fix": "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238290 ", - "rid": "SV-238290r654045_rule ", - "stig_id": "UBTU-20-010174 ", - "fix_id": "F-41459r654044_fix ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000474-GPOS-00219" + ], + "gid": "V-238271 ", + "rid": "SV-238271r808483_rule ", + "stig_id": "UBTU-20-010155 ", + "fix_id": "F-41440r808482_fix ", "cci": [ "CCI-000172" ], @@ -3053,128 +3125,135 @@ ], "host": null }, - "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238290.rb", + "ref": "./controls/SV-238271.rb", "line": 1 }, - "id": "SV-238290" + "id": "SV-238271" }, { - "title": "The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ", - "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", - "check": "Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding.", - "fix": "Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000297-GPOS-00115 ", - "gid": "V-238354 ", - "rid": "SV-238354r853429_rule ", - "stig_id": "UBTU-20-010433 ", - "fix_id": "F-41523r654236_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238279 ", + "rid": "SV-238279r654012_rule ", + "stig_id": "UBTU-20-010163 ", + "fix_id": "F-41448r654011_fix ", "cci": [ - "CCI-002314" + "CCI-000172" ], "nist": [ - "AC-17 (1)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238354.rb", + "ref": "./controls/SV-238279.rb", "line": 1 }, - "id": "SV-238354" + "id": "SV-238279" }, { - "title": "The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ", - "desc": "It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.", - "check": "Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding.", - "fix": "Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000047-GPOS-00023 ", - "gid": "V-238244 ", - "rid": "SV-238244r653907_rule ", - "stig_id": "UBTU-20-010118 ", - "fix_id": "F-41413r653906_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238254 ", + "rid": "SV-238254r653937_rule ", + "stig_id": "UBTU-20-010138 ", + "fix_id": "F-41423r653936_fix ", "cci": [ - "CCI-000140" + "CCI-000172" ], "nist": [ - "AU-5 b" + "AU-12 c" ], "host": null }, - "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n", + "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238244.rb", + "ref": "./controls/SV-238254.rb", "line": 1 }, - "id": "SV-238244" + "id": "SV-238254" }, { - "title": "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ", - "desc": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.", + "title": "The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ", + "desc": "In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.", "descriptions": { - "default": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.", - "check": "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II.", - "fix": "The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver." + "default": "In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.", + "check": "Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000191-GPOS-00080 ", - "gid": "V-238336 ", - "rid": "SV-238336r858538_rule ", - "stig_id": "UBTU-20-010415 ", - "fix_id": "F-41505r858537_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000326-GPOS-00126 ", + "satisfies": [ + "SRG-OS-000326-GPOS-00126", + "SRG-OS-000327-GPOS-00127" + ], + "gid": "V-238304 ", + "rid": "SV-238304r853422_rule ", + "stig_id": "UBTU-20-010211 ", + "fix_id": "F-41473r654086_fix ", "cci": [ - "CCI-001233" + "CCI-002233", + "CCI-002234" ], "nist": [ - "SI-2 (2)" + "AC-6 (8)", + "AC-6 (9)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n tag 'host', 'container'\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n", + "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238336.rb", + "ref": "./controls/SV-238304.rb", "line": 1 }, - "id": "SV-238336" + "id": "SV-238304" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238277 ", - "rid": "SV-238277r654006_rule ", - "stig_id": "UBTU-20-010161 ", - "fix_id": "F-41446r654005_fix ", + "satisfies": [ + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-238297 ", + "rid": "SV-238297r802387_rule ", + "stig_id": "UBTU-20-010181 ", + "fix_id": "F-41466r654065_fix ", "cci": [ "CCI-000172" ], @@ -3183,268 +3262,329 @@ ], "host": null }, - "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238277.rb", + "ref": "./controls/SV-238297.rb", "line": 1 }, - "id": "SV-238277" + "id": "SV-238297" }, { - "title": "The Ubuntu operating system library files must have mode 0755 or less permissive. ", - "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", "descriptions": { - "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding.", - "fix": "Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;" + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding.", + "fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238347 ", - "rid": "SV-238347r654216_rule ", - "stig_id": "UBTU-20-010426 ", - "fix_id": "F-41516r654215_fix ", + "gtitle": "SRG-OS-000363-GPOS-00150 ", + "gid": "V-238358 ", + "rid": "SV-238358r853433_rule ", + "stig_id": "UBTU-20-010437 ", + "fix_id": "F-41527r654248_fix ", "cci": [ - "CCI-001499" + "CCI-001744" ], "nist": [ - "CM-5 (6)" + "CM-3 (5)" ], "host": null, "container": null }, - "code": "control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238347.rb", + "ref": "./controls/SV-238358.rb", "line": 1 }, - "id": "SV-238347" + "id": "SV-238358" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must uniquely identify interactive users. ", + "desc": "To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above.", - "fix": "Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.", + "check": "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding.", + "fix": "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238252 ", - "rid": "SV-238252r653931_rule ", - "stig_id": "UBTU-20-010136 ", - "fix_id": "F-41421r653930_fix ", + "gtitle": "SRG-OS-000104-GPOS-00051 ", + "satisfies": [ + "SRG-OS-000104-GPOS-00051", + "SRG-OS-000121-GPOS-00062" + ], + "gid": "V-238205 ", + "rid": "SV-238205r653790_rule ", + "stig_id": "UBTU-20-010010 ", + "fix_id": "F-41374r653789_fix ", "cci": [ - "CCI-000172" + "CCI-000764", + "CCI-000804" ], "nist": [ - "AU-12 c" + "IA-2", + "IA-8" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n tag 'host', 'container'\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238252.rb", + "ref": "./controls/SV-238205.rb", "line": 1 }, - "id": "SV-238252" + "id": "SV-238205" }, { - "title": "The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ", - "desc": "Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.", + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", "descriptions": { - "default": "Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.", - "check": "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding.", - "fix": "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory." + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", + "fix": "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000373-GPOS-00156 ", - "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157" - ], - "gid": "V-238208 ", - "rid": "SV-238208r853405_rule ", - "stig_id": "UBTU-20-010014 ", - "fix_id": "F-41377r653798_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000069-GPOS-00037 ", + "gid": "V-238221 ", + "rid": "SV-238221r653838_rule ", + "stig_id": "UBTU-20-010050 ", + "fix_id": "F-41390r653837_fix ", "cci": [ - "CCI-002038" + "CCI-000192" ], "nist": [ - "IA-11" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host', 'container'\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238208.rb", + "ref": "./controls/SV-238221.rb", "line": 1 }, - "id": "SV-238208" + "id": "SV-238221" }, { - "title": "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ", - "desc": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", + "title": "The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", - "check": "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding.", - "fix": "Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512" + "default": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.", + "check": "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000120-GPOS-00061 ", - "gid": "V-238325 ", - "rid": "SV-238325r654150_rule ", - "stig_id": "UBTU-20-010404 ", - "fix_id": "F-41494r654149_fix ", + "gtitle": "SRG-OS-000424-GPOS-00188 ", + "satisfies": [ + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173" + ], + "gid": "V-238216 ", + "rid": "SV-238216r860820_rule ", + "stig_id": "UBTU-20-010043 ", + "fix_id": "F-41385r653822_fix ", "cci": [ - "CCI-000803" + "CCI-001453", + "CCI-002421", + "CCI-002890" ], "nist": [ - "IA-7" + "AC-17 (2)", + "SC-8 (1)", + "MA-4 (6)" ], "host": null }, - "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", + "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238325.rb", + "ref": "./controls/SV-238216.rb", "line": 1 }, - "id": "SV-238325" + "id": "SV-238216" }, { - "title": "The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ", + "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.", + "check": "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-238285 ", - "rid": "SV-238285r654030_rule ", - "stig_id": "UBTU-20-010169 ", - "fix_id": "F-41454r654029_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000076-GPOS-00044 ", + "gid": "V-238203 ", + "rid": "SV-238203r653784_rule ", + "stig_id": "UBTU-20-010008 ", + "fix_id": "F-41372r653783_fix ", "cci": [ - "CCI-000172" + "CCI-000199" ], "nist": [ - "AU-12 c" + "IA-5 (1) (d)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238285.rb", + "ref": "./controls/SV-238203.rb", "line": 1 }, - "id": "SV-238285" + "id": "SV-238203" }, { - "title": "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ", - "desc": "Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.", + "title": "The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.", "descriptions": { - "default": "Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding.", - "fix": "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512" + "default": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.", + "check": "Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding.", + "fix": "Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000278-GPOS-00108 ", - "gid": "V-238303 ", - "rid": "SV-238303r654084_rule ", - "stig_id": "UBTU-20-010205 ", - "fix_id": "F-41472r654083_fix ", - "cci": [ - "CCI-001496" + "gtitle": "SRG-OS-000028-GPOS-00009 ", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000029-GPOS-00010" + ], + "gid": "V-238199 ", + "rid": "SV-238199r653772_rule ", + "stig_id": "UBTU-20-010004 ", + "fix_id": "F-41368r653771_fix ", + "cci": [ + "CCI-000056", + "CCI-000057" ], "nist": [ - "AU-9 (3)" + "AC-11 b", + "AC-11 a" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled').stdout.strip do\n it { should cmp true }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238199.rb", + "line": 1 + }, + "id": "SV-238199" + }, + { + "title": "The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ", + "desc": "Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.", + "descriptions": { + "default": "Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.", + "check": "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding.", + "fix": "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000068-GPOS-00036 ", + "gid": "V-238201 ", + "rid": "SV-238201r832933_rule ", + "stig_id": "UBTU-20-010006 ", + "fix_id": "F-41370r653777_fix ", + "cci": [ + "CCI-000187" + ], + "nist": [ + "IA-5 (2) (a) (2)" ], "host": null }, - "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238303.rb", + "ref": "./controls/SV-238201.rb", "line": 1 }, - "id": "SV-238303" + "id": "SV-238201" }, { - "title": "The Ubuntu operating system library files must be group-owned by root or a system account. ", - "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "The Ubuntu operating system must be configured to use AppArmor. ", + "desc": "Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).", "descriptions": { - "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding.", - "fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]" + "default": "Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).", + "check": "Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding.", + "fix": "Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238351 ", - "rid": "SV-238351r832962_rule ", - "stig_id": "UBTU-20-010430 ", - "fix_id": "F-41520r832961_fix ", + "gtitle": "SRG-OS-000368-GPOS-00154 ", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124", + "SRG-OS-000324-GPOS-00125", + "SRG-OS-000370-GPOS-00155" + ], + "gid": "V-238360 ", + "rid": "SV-238360r853435_rule ", + "stig_id": "UBTU-20-010439 ", + "fix_id": "F-41529r654254_fix ", "cci": [ - "CCI-001499" + "CCI-001764", + "CCI-001774", + "CCI-002165", + "CCI-002235" ], "nist": [ - "CM-5 (6)" + "CM-7 (2)", + "CM-7 (5) (b)", + "AC-3 (4)", + "AC-6 (10)" ], "host": null, "container": null }, - "code": "control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n tag 'host', 'container'\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238351.rb", + "ref": "./controls/SV-238360.rb", "line": 1 }, - "id": "SV-238351" + "id": "SV-238360" }, { - "title": "The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ", - "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "title": "The Ubuntu operating system must monitor remote access methods. ", + "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).", "descriptions": { - "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", - "check": "Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding.", - "fix": "Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service" + "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "check": "Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding.", + "fix": "Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000297-GPOS-00115 ", - "gid": "V-238355 ", - "rid": "SV-238355r853430_rule ", - "stig_id": "UBTU-20-010434 ", - "fix_id": "F-41524r654239_fix ", + "gtitle": "SRG-OS-000032-GPOS-00013 ", + "gid": "V-238324 ", + "rid": "SV-238324r832959_rule ", + "stig_id": "UBTU-20-010403 ", + "fix_id": "F-41493r832958_fix ", "cci": [ - "CCI-002314" + "CCI-000067" ], "nist": [ "AC-17 (1)" @@ -3452,76 +3592,109 @@ "host": null, "container": null }, - "code": "control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238355.rb", + "ref": "./controls/SV-238324.rb", "line": 1 }, - "id": "SV-238355" + "id": "SV-238324" }, { - "title": "The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ", - "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "title": "The Ubuntu operating system must generate audit records for the /var/log/btmp file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", - "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding.", - "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000063-GPOS-00032 ", - "gid": "V-238251 ", - "rid": "SV-238251r653928_rule ", - "stig_id": "UBTU-20-010135 ", - "fix_id": "F-41420r653927_fix ", + "gtitle": "SRG-OS-000472-GPOS-00217 ", + "gid": "V-238317 ", + "rid": "SV-238317r654126_rule ", + "stig_id": "UBTU-20-010279 ", + "fix_id": "F-41486r654125_fix ", "cci": [ - "CCI-000171" + "CCI-000172" ], "nist": [ - "AU-12 b" + "AU-12 c" ], "host": null }, - "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238251.rb", + "ref": "./controls/SV-238317.rb", "line": 1 }, - "id": "SV-238251" + "id": "SV-238317" }, { - "title": "The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ", - "desc": "Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).", + "title": "The Ubuntu operating system library directories must have mode 0755 or less permissive. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).", - "check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.", - "fix": "Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11" + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding.", + "fix": "Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000375-GPOS-00160 ", - "gid": "V-238230 ", - "rid": "SV-238230r853410_rule ", - "stig_id": "UBTU-20-010063 ", - "fix_id": "F-41399r653864_fix ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238348 ", + "rid": "SV-238348r654219_rule ", + "stig_id": "UBTU-20-010427 ", + "fix_id": "F-41517r654218_fix ", "cci": [ - "CCI-001948" + "CCI-001499" ], "nist": [ - "IA-2 (11)" + "CM-5 (6)" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238348.rb", + "line": 1 + }, + "id": "SV-238348" + }, + { + "title": "The Ubuntu operating system must initiate session audits at system start-up. ", + "desc": "If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.", + "descriptions": { + "default": "If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.", + "check": "Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding.", + "fix": "Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000254-GPOS-00095 ", + "gid": "V-238299 ", + "rid": "SV-238299r654072_rule ", + "stig_id": "UBTU-20-010198 ", + "fix_id": "F-41468r654071_fix ", + "cci": [ + "CCI-001464" + ], + "nist": [ + "AU-14 (1)" ], "host": null }, - "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238230.rb", + "ref": "./controls/SV-238299.rb", "line": 1 }, - "id": "SV-238230" + "id": "SV-238299" }, { "title": "The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ", @@ -3556,102 +3729,50 @@ "id": "SV-251505" }, { - "title": "The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ", - "desc": "Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.", + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", "descriptions": { - "default": "Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.", - "check": "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding.", - "fix": "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000068-GPOS-00036 ", - "gid": "V-238201 ", - "rid": "SV-238201r832933_rule ", - "stig_id": "UBTU-20-010006 ", - "fix_id": "F-41370r653777_fix ", - "cci": [ - "CCI-000187" - ], - "nist": [ - "IA-5 (2) (a) (2)" + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000476-GPOS-00221" ], - "host": null - }, - "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238201.rb", - "line": 1 - }, - "id": "SV-238201" - }, - { - "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", - "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", - "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", - "fix": "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1" - }, - "impact": 0.3, - "refs": [], - "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000069-GPOS-00037 ", - "gid": "V-238221 ", - "rid": "SV-238221r653838_rule ", - "stig_id": "UBTU-20-010050 ", - "fix_id": "F-41390r653837_fix ", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ], - "host": null, - "container": null - }, - "code": "control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238221.rb", - "line": 1 - }, - "id": "SV-238221" - }, - { - "title": "The Ubuntu operating system library directories must have mode 0755 or less permissive. ", - "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "descriptions": { - "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding.", - "fix": "Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;" - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238348 ", - "rid": "SV-238348r654219_rule ", - "stig_id": "UBTU-20-010427 ", - "fix_id": "F-41517r654218_fix ", + "gid": "V-238241 ", + "rid": "SV-238241r853419_rule ", + "stig_id": "UBTU-20-010103 ", + "fix_id": "F-41410r653897_fix ", "cci": [ - "CCI-001499" + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "CM-5 (6)" + "AU-12 c", + "AC-2 (4)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238348.rb", + "ref": "./controls/SV-238241.rb", "line": 1 }, - "id": "SV-238348" + "id": "SV-238241" }, { "title": "The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ", @@ -3692,317 +3813,240 @@ "id": "SV-238300" }, { - "title": "The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ", - "desc": "If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.", + "title": "The Ubuntu operating system library directories must be group-owned by root. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.", - "check": "Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8" + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding.", + "fix": "Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000072-GPOS-00040 ", - "gid": "V-238224 ", - "rid": "SV-238224r653847_rule ", - "stig_id": "UBTU-20-010053 ", - "fix_id": "F-41393r653846_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238352 ", + "rid": "SV-238352r654231_rule ", + "stig_id": "UBTU-20-010431 ", + "fix_id": "F-41521r654230_fix ", "cci": [ - "CCI-000195" + "CCI-001499" ], "nist": [ - "IA-5 (1) (b)" + "CM-5 (6)" ], "host": null, "container": null }, - "code": "control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238224.rb", + "ref": "./controls/SV-238352.rb", "line": 1 }, - "id": "SV-238224" + "id": "SV-238352" }, { - "title": "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ", - "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ", + "desc": "Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding.", - "fix": "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log" + "default": "Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.", + "check": "Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000206-GPOS-00084 ", - "gid": "V-238340 ", - "rid": "SV-238340r654195_rule ", - "stig_id": "UBTU-20-010419 ", - "fix_id": "F-41509r654194_fix ", + "gtitle": "SRG-OS-000125-GPOS-00065 ", + "gid": "V-238211 ", + "rid": "SV-238211r858519_rule ", + "stig_id": "UBTU-20-010035 ", + "fix_id": "F-41380r653807_fix ", "cci": [ - "CCI-001314" + "CCI-000877" ], "nist": [ - "SI-11 b" + "MA-4 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n", + "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238340.rb", + "ref": "./controls/SV-238211.rb", "line": 1 }, - "id": "SV-238340" + "id": "SV-238211" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must have system commands owned by root or a system account. ", + "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding.", + "fix": "Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238253 ", - "rid": "SV-238253r653934_rule ", - "stig_id": "UBTU-20-010137 ", - "fix_id": "F-41422r653933_fix ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238377 ", + "rid": "SV-238377r832968_rule ", + "stig_id": "UBTU-20-010457 ", + "fix_id": "F-41546r832967_fix ", "cci": [ - "CCI-000172" + "CCI-001499" ], "nist": [ - "AU-12 c" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238253.rb", + "ref": "./controls/SV-238377.rb", "line": 1 }, - "id": "SV-238253" + "id": "SV-238377" }, { - "title": "The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ", - "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.", + "title": "The Ubuntu operating system must have directories that contain system commands owned by\nroot. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.", - "check": "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding.", - "fix": "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0" + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding.", + "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000329-GPOS-00128 ", - "satisfies": [ - "SRG-OS-000329-GPOS-00128", - "SRG-OS-000021-GPOS-00005" - ], - "gid": "V-238235 ", - "rid": "SV-238235r853414_rule ", - "stig_id": "UBTU-20-010072 ", - "fix_id": "F-41404r802382_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000258-GPOS-00099 ", + "gid": "V-238345 ", + "rid": "SV-238345r654210_rule ", + "stig_id": "UBTU-20-010424 ", + "fix_id": "F-41514r654209_fix ", "cci": [ - "CCI-000044", - "CCI-002238" + "CCI-001495" ], "nist": [ - "AC-7 a", - "AC-7 b" + "AU-9" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n", + "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238235.rb", + "ref": "./controls/SV-238345.rb", "line": 1 }, - "id": "SV-238235" + "id": "SV-238345" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ", + "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" + "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding.", + "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238256 ", - "rid": "SV-238256r653943_rule ", - "stig_id": "UBTU-20-010140 ", - "fix_id": "F-41425r653942_fix ", + "gtitle": "SRG-OS-000063-GPOS-00032 ", + "gid": "V-238249 ", + "rid": "SV-238249r653922_rule ", + "stig_id": "UBTU-20-010133 ", + "fix_id": "F-41418r653921_fix ", "cci": [ - "CCI-000172" + "CCI-000171" ], "nist": [ - "AU-12 c" + "AU-12 b" ], "host": null }, - "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238256.rb", + "ref": "./controls/SV-238249.rb", "line": 1 }, - "id": "SV-238256" + "id": "SV-238249" }, { - "title": "Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ", - "desc": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.", + "title": "The Ubuntu operating system must be configured to preserve log records from failure events. ", + "desc": "Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.", "descriptions": { - "default": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.", - "check": "Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding.", - "fix": "Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub" - }, - "impact": 0.7, - "refs": [], - "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000080-GPOS-00048 ", - "gid": "V-238204 ", - "rid": "SV-238204r832936_rule ", - "stig_id": "UBTU-20-010009 ", - "fix_id": "F-41373r832935_fix ", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ], - "host": null, - "container": null - }, - "code": "control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host', 'container'\n\n grubfile = file('/boot/grub/grub.cfg').content.lines\n\n grubfile_passes = grubfile.any? { |line| line.match?(/^password_pbkdf2\\s+root/) }\n\n describe 'Grub' do\n it 'should use an encrypted password for root' do\n expect(grubfile_passes).to be_true, 'No password set for root in grub config'\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238204.rb", - "line": 1 - }, - "id": "SV-238204" - }, - { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load" - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238294 ", - "rid": "SV-238294r654057_rule ", - "stig_id": "UBTU-20-010178 ", - "fix_id": "F-41463r654056_fix ", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ], - "host": null - }, - "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238294.rb", - "line": 1 - }, - "id": "SV-238294" - }, - { - "title": "The Ubuntu operating system must uniquely identify interactive users. ", - "desc": "To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.", - "descriptions": { - "default": "To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.", - "check": "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding.", - "fix": "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID." + "default": "Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.", + "check": "Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding.", + "fix": "Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000104-GPOS-00051 ", - "satisfies": [ - "SRG-OS-000104-GPOS-00051", - "SRG-OS-000121-GPOS-00062" - ], - "gid": "V-238205 ", - "rid": "SV-238205r653790_rule ", - "stig_id": "UBTU-20-010010 ", - "fix_id": "F-41374r653789_fix ", + "gtitle": "SRG-OS-000269-GPOS-00103 ", + "gid": "V-238353 ", + "rid": "SV-238353r654234_rule ", + "stig_id": "UBTU-20-010432 ", + "fix_id": "F-41522r654233_fix ", "cci": [ - "CCI-000764", - "CCI-000804" + "CCI-001665" ], "nist": [ - "IA-2", - "IA-8" + "SC-24" ], "host": null, "container": null }, - "code": "control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n tag 'host', 'container'\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n tag 'host', 'container'\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238205.rb", + "ref": "./controls/SV-238353.rb", "line": 1 }, - "id": "SV-238205" + "id": "SV-238353" }, { - "title": "The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ", - "desc": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "title": "The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ", + "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", "descriptions": { - "default": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", - "check": "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding.", - "fix": "The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide" + "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding.", + "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000446-GPOS-00200 ", - "gid": "V-238236 ", - "rid": "SV-238236r853415_rule ", - "stig_id": "UBTU-20-010074 ", - "fix_id": "F-41405r653882_fix ", + "gtitle": "SRG-OS-000063-GPOS-00032 ", + "gid": "V-238250 ", + "rid": "SV-238250r653925_rule ", + "stig_id": "UBTU-20-010134 ", + "fix_id": "F-41419r653924_fix ", "cci": [ - "CCI-002699" + "CCI-000171" ], "nist": [ - "SI-6 b" + "AU-12 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n tag 'host', 'container'\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n", + "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238236.rb", + "ref": "./controls/SV-238250.rb", "line": 1 }, - "id": "SV-238236" + "id": "SV-238250" }, { - "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ", + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ", "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", "descriptions": { "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", - "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" }, "impact": 0.5, "refs": [], @@ -4018,11 +4062,12 @@ "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221" ], - "gid": "V-238241 ", - "rid": "SV-238241r853419_rule ", - "stig_id": "UBTU-20-010103 ", - "fix_id": "F-41410r653897_fix ", + "gid": "V-238239 ", + "rid": "SV-238239r853417_rule ", + "stig_id": "UBTU-20-010101 ", + "fix_id": "F-41408r653891_fix ", "cci": [ + "CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", @@ -4030,180 +4075,166 @@ "CCI-002130" ], "nist": [ - "AU-12 c", - "AC-2 (4)" + "AC-2 (4)", + "AU-12 c" ], "host": null }, - "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238241.rb", + "ref": "./controls/SV-238239.rb", "line": 1 }, - "id": "SV-238241" + "id": "SV-238239" }, { - "title": "The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ", - "desc": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", + "title": "The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ", + "desc": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.", "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", - "check": "Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"." + "default": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding.", + "fix": "Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000433-GPOS-00192 ", - "gid": "V-238368 ", - "rid": "SV-238368r853445_rule ", - "stig_id": "UBTU-20-010447 ", - "fix_id": "F-41537r654278_fix ", + "gtitle": "SRG-OS-000445-GPOS-00199 ", + "gid": "V-238371 ", + "rid": "SV-238371r853448_rule ", + "stig_id": "UBTU-20-010450 ", + "fix_id": "F-41540r654287_fix ", "cci": [ - "CCI-002824" + "CCI-002696" ], "nist": [ - "SI-16" + "SI-6 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", + "code": "control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host', 'container'\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238368.rb", + "ref": "./controls/SV-238371.rb", "line": 1 }, - "id": "SV-238368" + "id": "SV-238371" }, { - "title": "The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ", - "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ", + "desc": "Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;" + "default": "Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.", + "check": "Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding.", + "fix": "Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238376 ", - "rid": "SV-238376r654303_rule ", - "stig_id": "UBTU-20-010456 ", - "fix_id": "F-41545r654302_fix ", + "gtitle": "SRG-OS-000366-GPOS-00153 ", + "gid": "V-238359 ", + "rid": "SV-238359r853434_rule ", + "stig_id": "UBTU-20-010438 ", + "fix_id": "F-41528r654251_fix ", "cci": [ - "CCI-001499" + "CCI-001749" ], "nist": [ - "CM-5 (6)" + "CM-5 (3)" ], "host": null, "container": null }, - "code": "control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host', 'container'\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238376.rb", + "ref": "./controls/SV-238359.rb", "line": 1 }, - "id": "SV-238376" + "id": "SV-238359" }, { - "title": "The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ", - "desc": "Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.", + "title": "The Ubuntu operating system library files must be owned by root. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.", - "check": "Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", - "fix": "Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service" + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding.", + "fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000163-GPOS-00072 ", - "gid": "V-238213 ", - "rid": "SV-238213r858523_rule ", - "stig_id": "UBTU-20-010037 ", - "fix_id": "F-41382r653813_fix ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238349 ", + "rid": "SV-238349r654222_rule ", + "stig_id": "UBTU-20-010428 ", + "fix_id": "F-41518r654221_fix ", "cci": [ - "CCI-001133" + "CCI-001499" ], "nist": [ - "SC-10" + "CM-5 (6)" ], "host": null, "container": null }, - "code": "control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host', 'container'\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n", + "code": "control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238213.rb", + "ref": "./controls/SV-238349.rb", "line": 1 }, - "id": "SV-238213" + "id": "SV-238349" }, { - "title": "The Ubuntu operating system must be configured to use AppArmor. ", - "desc": "Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).", - "check": "Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding.", - "fix": "Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles." + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000368-GPOS-00154 ", - "satisfies": [ - "SRG-OS-000368-GPOS-00154", - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124", - "SRG-OS-000324-GPOS-00125", - "SRG-OS-000370-GPOS-00155" - ], - "gid": "V-238360 ", - "rid": "SV-238360r853435_rule ", - "stig_id": "UBTU-20-010439 ", - "fix_id": "F-41529r654254_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238282 ", + "rid": "SV-238282r654021_rule ", + "stig_id": "UBTU-20-010166 ", + "fix_id": "F-41451r654020_fix ", "cci": [ - "CCI-001764", - "CCI-001774", - "CCI-002165", - "CCI-002235" + "CCI-000172" ], "nist": [ - "CM-7 (2)", - "CM-7 (5) (b)", - "AC-3 (4)", - "AC-6 (10)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n tag 'host', 'container'\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238360.rb", + "ref": "./controls/SV-238282.rb", "line": 1 }, - "id": "SV-238360" + "id": "SV-238282" }, { - "title": "The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000472-GPOS-00217 ", - "gid": "V-238316 ", - "rid": "SV-238316r654123_rule ", - "stig_id": "UBTU-20-010278 ", - "fix_id": "F-41485r654122_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238253 ", + "rid": "SV-238253r653934_rule ", + "stig_id": "UBTU-20-010137 ", + "fix_id": "F-41422r653933_fix ", "cci": [ "CCI-000172" ], @@ -4212,62 +4243,63 @@ ], "host": null }, - "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238316.rb", + "ref": "./controls/SV-238253.rb", "line": 1 }, - "id": "SV-238316" + "id": "SV-238253" }, { - "title": "The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ", - "desc": "Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.", + "title": "The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ", + "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", "descriptions": { - "default": "Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.", - "check": "Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed" + "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-238373 ", - "rid": "SV-238373r858539_rule ", - "stig_id": "UBTU-20-010453 ", - "fix_id": "F-41542r654293_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238378 ", + "rid": "SV-238378r832971_rule ", + "stig_id": "UBTU-20-010458 ", + "fix_id": "F-41547r832970_fix ", "cci": [ - "CCI-000052" + "CCI-001499" ], "nist": [ - "AC-9" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n", + "code": "control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238373.rb", + "ref": "./controls/SV-238378.rb", "line": 1 }, - "id": "SV-238373" + "id": "SV-238378" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238283 ", - "rid": "SV-238283r654024_rule ", - "stig_id": "UBTU-20-010167 ", - "fix_id": "F-41452r654023_fix ", + "gid": "V-238277 ", + "rid": "SV-238277r654006_rule ", + "stig_id": "UBTU-20-010161 ", + "fix_id": "F-41446r654005_fix ", "cci": [ "CCI-000172" ], @@ -4276,63 +4308,95 @@ ], "host": null }, - "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238283.rb", + "ref": "./controls/SV-238277.rb", "line": 1 }, - "id": "SV-238283" + "id": "SV-238277" }, { - "title": "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.", + "title": "The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ", + "desc": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.", "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.", - "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update" + "default": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.", + "check": "Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding.", + "fix": "Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]" }, - "impact": 0, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000138-GPOS-00069 ", + "gid": "V-238332 ", + "rid": "SV-238332r654171_rule ", + "stig_id": "UBTU-20-010411 ", + "fix_id": "F-41501r654170_fix ", + "cci": [ + "CCI-001090" + ], + "nist": [ + "SC-4" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host', 'container'\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238332.rb", + "line": 1 + }, + "id": "SV-238332" + }, + { + "title": "The Ubuntu operating system must not allow accounts configured with blank or null passwords. ", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "descriptions": { + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding.", + "fix": "If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords." + }, + "impact": 0.7, "refs": [], "tags": { "severity": "high ", "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-238379 ", - "rid": "SV-238379r654312_rule ", - "stig_id": "UBTU-20-010459 ", - "fix_id": "F-41548r654311_fix ", + "gid": "V-251504 ", + "rid": "SV-251504r832977_rule ", + "stig_id": "UBTU-20-010463 ", + "fix_id": "F-54893r832976_fix ", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n", + "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238379.rb", + "ref": "./controls/SV-251504.rb", "line": 1 }, - "id": "SV-238379" + "id": "SV-251504" }, { - "title": "The Ubuntu operating system must generate audit records for the /var/log/btmp file. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000472-GPOS-00217 ", - "gid": "V-238317 ", - "rid": "SV-238317r654126_rule ", - "stig_id": "UBTU-20-010279 ", - "fix_id": "F-41486r654125_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238252 ", + "rid": "SV-238252r653931_rule ", + "stig_id": "UBTU-20-010136 ", + "fix_id": "F-41421r653930_fix ", "cci": [ "CCI-000172" ], @@ -4341,30 +4405,30 @@ ], "host": null }, - "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238317.rb", + "ref": "./controls/SV-238252.rb", "line": 1 }, - "id": "SV-238317" + "id": "SV-238252" }, { - "title": "The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", - "check": "Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", - "fix": "Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000468-GPOS-00212 ", - "gid": "V-238310 ", - "rid": "SV-238310r832953_rule ", - "stig_id": "UBTU-20-010267 ", - "fix_id": "F-41479r832952_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238284 ", + "rid": "SV-238284r654027_rule ", + "stig_id": "UBTU-20-010168 ", + "fix_id": "F-41453r654026_fix ", "cci": [ "CCI-000172" ], @@ -4373,162 +4437,168 @@ ], "host": null }, - "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238310.rb", + "ref": "./controls/SV-238284.rb", "line": 1 }, - "id": "SV-238310" + "id": "SV-238284" }, { - "title": "The Ubuntu operating system must not have the telnet package installed. ", + "title": "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ", "desc": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", "descriptions": { "default": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", - "check": "Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding.", - "fix": "Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd" + "check": "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding.", + "fix": "Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000074-GPOS-00042 ", - "gid": "V-238326 ", - "rid": "SV-238326r654153_rule ", - "stig_id": "UBTU-20-010405 ", - "fix_id": "F-41495r654152_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000120-GPOS-00061 ", + "gid": "V-238325 ", + "rid": "SV-238325r654150_rule ", + "stig_id": "UBTU-20-010404 ", + "fix_id": "F-41494r654149_fix ", "cci": [ - "CCI-000197" + "CCI-000803" ], "nist": [ - "IA-5 (1) (c)" + "IA-7" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n tag 'host', 'container'\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238326.rb", + "ref": "./controls/SV-238325.rb", "line": 1 }, - "id": "SV-238326" + "id": "SV-238325" }, { - "title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ", - "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", + "title": "The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ", + "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", "descriptions": { - "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding.", - "fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." + "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding.", + "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000363-GPOS-00150 ", - "gid": "V-238358 ", - "rid": "SV-238358r853433_rule ", - "stig_id": "UBTU-20-010437 ", - "fix_id": "F-41527r654248_fix ", + "gtitle": "SRG-OS-000063-GPOS-00032 ", + "gid": "V-238251 ", + "rid": "SV-238251r653928_rule ", + "stig_id": "UBTU-20-010135 ", + "fix_id": "F-41420r653927_fix ", "cci": [ - "CCI-001744" + "CCI-000171" ], "nist": [ - "CM-3 (5)" + "AU-12 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", + "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238358.rb", + "ref": "./controls/SV-238251.rb", "line": 1 }, - "id": "SV-238358" + "id": "SV-238251" }, { - "title": "The Ubuntu operating system must not have the rsh-server package installed. ", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "title": "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ", + "desc": "Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", - "check": "Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding.", - "fix": "Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server" + "default": "Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.", + "check": "Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding.", + "fix": "Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service" }, "impact": 0.7, "refs": [], "tags": { "severity": "high ", - "gtitle": "SRG-OS-000095-GPOS-00049 ", - "gid": "V-238327 ", - "rid": "SV-238327r654156_rule ", - "stig_id": "UBTU-20-010406 ", - "fix_id": "F-41496r654155_fix ", + "gtitle": "SRG-OS-000423-GPOS-00187 ", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "gid": "V-238215 ", + "rid": "SV-238215r853406_rule ", + "stig_id": "UBTU-20-010042 ", + "fix_id": "F-41384r653819_fix ", "cci": [ - "CCI-000381" + "CCI-002418", + "CCI-002420", + "CCI-002422" ], "nist": [ - "CM-7 a" + "SC-8", + "SC-8 (2)" ], "host": null, "container": null }, - "code": "control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host', 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n tag 'host', 'container'\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238327.rb", + "ref": "./controls/SV-238215.rb", "line": 1 }, - "id": "SV-238327" + "id": "SV-238215" }, { - "title": "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ", - "desc": "Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.", + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", "descriptions": { - "default": "Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.", - "check": "Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding.", - "fix": "Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";" + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", + "fix": "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000366-GPOS-00153 ", - "gid": "V-238359 ", - "rid": "SV-238359r853434_rule ", - "stig_id": "UBTU-20-010438 ", - "fix_id": "F-41528r654251_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000070-GPOS-00038 ", + "gid": "V-238222 ", + "rid": "SV-238222r653841_rule ", + "stig_id": "UBTU-20-010051 ", + "fix_id": "F-41391r653840_fix ", "cci": [ - "CCI-001749" + "CCI-000193" ], "nist": [ - "CM-5 (3)" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host', 'container'\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n", + "code": "control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238359.rb", + "ref": "./controls/SV-238222.rb", "line": 1 }, - "id": "SV-238359" + "id": "SV-238222" }, { - "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.", - "fix": "Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000477-GPOS-00222 ", - "gid": "V-238320 ", - "rid": "SV-238320r832956_rule ", - "stig_id": "UBTU-20-010298 ", - "fix_id": "F-41489r832955_fix ", + "gtitle": "SRG-OS-000468-GPOS-00212 ", + "gid": "V-238310 ", + "rid": "SV-238310r832953_rule ", + "stig_id": "UBTU-20-010267 ", + "fix_id": "F-41479r832952_fix ", "cci": [ "CCI-000172" ], @@ -4537,666 +4607,747 @@ ], "host": null }, - "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238320.rb", + "ref": "./controls/SV-238310.rb", "line": 1 }, - "id": "SV-238320" + "id": "SV-238310" }, { - "title": "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ", - "desc": "Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.", + "title": "The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.", - "check": "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000480-GPOS-00226 ", - "gid": "V-238237 ", - "rid": "SV-238237r653886_rule ", - "stig_id": "UBTU-20-010075 ", - "fix_id": "F-41406r653885_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000472-GPOS-00217 ", + "gid": "V-238316 ", + "rid": "SV-238316r654123_rule ", + "stig_id": "UBTU-20-010278 ", + "fix_id": "F-41485r654122_fix ", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b" + "AU-12 c" ], "host": null }, - "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", + "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238237.rb", + "ref": "./controls/SV-238316.rb", "line": 1 }, - "id": "SV-238237" + "id": "SV-238316" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" + "default": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.", + "check": "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238278 ", - "rid": "SV-238278r654009_rule ", - "stig_id": "UBTU-20-010162 ", - "fix_id": "F-41447r654008_fix ", + "gtitle": "SRG-OS-000424-GPOS-00188 ", + "satisfies": [ + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000394-GPOS-00174" + ], + "gid": "V-238217 ", + "rid": "SV-238217r860821_rule ", + "stig_id": "UBTU-20-010044 ", + "fix_id": "F-41386r653825_fix ", "cci": [ - "CCI-000172" + "CCI-000068", + "CCI-002421", + "CCI-003123" ], "nist": [ - "AU-12 c" + "AC-17 (2)", + "SC-8 (1)", + "MA-4 (6)" ], "host": null }, - "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238278.rb", + "ref": "./controls/SV-238217.rb", "line": 1 }, - "id": "SV-238278" + "id": "SV-238217" }, { - "title": "The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ", - "desc": "Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.", + "title": "The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ", + "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", "descriptions": { - "default": "Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.", - "check": "Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding.", - "fix": "Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes" + "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "check": "Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding.", + "fix": "Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000125-GPOS-00065 ", - "gid": "V-238211 ", - "rid": "SV-238211r858519_rule ", - "stig_id": "UBTU-20-010035 ", - "fix_id": "F-41380r653807_fix ", + "gtitle": "SRG-OS-000057-GPOS-00027 ", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-238246 ", + "rid": "SV-238246r653913_rule ", + "stig_id": "UBTU-20-010123 ", + "fix_id": "F-41415r653912_fix ", "cci": [ - "CCI-000877" + "CCI-000162" ], "nist": [ - "MA-4 c" + "AU-9 a" ], "host": null }, - "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238211.rb", + "ref": "./controls/SV-238246.rb", "line": 1 }, - "id": "SV-238211" + "id": "SV-238246" }, { - "title": "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ", - "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ", + "desc": "Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog" + "default": "Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).", + "check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000206-GPOS-00084 ", - "gid": "V-238342 ", - "rid": "SV-238342r654201_rule ", - "stig_id": "UBTU-20-010421 ", - "fix_id": "F-41511r654200_fix ", + "gtitle": "SRG-OS-000375-GPOS-00160 ", + "gid": "V-238230 ", + "rid": "SV-238230r853410_rule ", + "stig_id": "UBTU-20-010063 ", + "fix_id": "F-41399r653864_fix ", "cci": [ - "CCI-001314" + "CCI-001948" ], "nist": [ - "SI-11 b" + "IA-2 (11)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", + "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238342.rb", + "ref": "./controls/SV-238230.rb", "line": 1 }, - "id": "SV-238342" + "id": "SV-238230" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.", + "check": "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding.", + "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238279 ", - "rid": "SV-238279r654012_rule ", - "stig_id": "UBTU-20-010163 ", - "fix_id": "F-41448r654011_fix ", + "gtitle": "SRG-OS-000480-GPOS-00225 ", + "gid": "V-238228 ", + "rid": "SV-238228r653859_rule ", + "stig_id": "UBTU-20-010057 ", + "fix_id": "F-41397r653858_fix ", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c" + "CM-6 b" ], "host": null }, - "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3$' }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238279.rb", + "ref": "./controls/SV-238228.rb", "line": 1 }, - "id": "SV-238279" + "id": "SV-238228" }, { - "title": "The Ubuntu operating system must configure audit tools to be owned by root. ", - "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "title": "The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ", + "desc": "The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", - "check": "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding.", - "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root." + "default": "The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.", + "check": "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000256-GPOS-00097 ", - "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098" - ], - "gid": "V-238301 ", - "rid": "SV-238301r654078_rule ", - "stig_id": "UBTU-20-010200 ", - "fix_id": "F-41470r654077_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000027-GPOS-00008 ", + "gid": "V-238323 ", + "rid": "SV-238323r654144_rule ", + "stig_id": "UBTU-20-010400 ", + "fix_id": "F-41492r654143_fix ", "cci": [ - "CCI-001493", - "CCI-001494" + "CCI-000054" ], "nist": [ - "AU-9 a", - "AU-9" + "AC-10" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag 'host', 'container'\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238301.rb", + "ref": "./controls/SV-238323.rb", "line": 1 }, - "id": "SV-238301" + "id": "SV-238323" }, { - "title": "The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ", - "desc": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.", + "title": "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ", + "desc": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.", "descriptions": { - "default": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.", - "check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file." + "default": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.", + "check": "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding.", + "fix": "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000105-GPOS-00052 ", - "satisfies": [ - "SRG-OS-000105-GPOS-00052", - "SRG-OS-000106-GPOS-00053", - "SRG-OS-000107-GPOS-00054", - "SRG-OS-000108-GPOS-00055" - ], - "gid": "V-238210 ", - "rid": "SV-238210r858517_rule ", - "stig_id": "UBTU-20-010033 ", - "fix_id": "F-41379r653804_fix ", + "gtitle": "SRG-OS-000046-GPOS-00022 ", + "gid": "V-238243 ", + "rid": "SV-238243r653904_rule ", + "stig_id": "UBTU-20-010117 ", + "fix_id": "F-41412r653903_fix ", "cci": [ - "CCI-000765", - "CCI-000766", - "CCI-000767", - "CCI-000768" + "CCI-000139" ], "nist": [ - "IA-2 (1)", - "IA-2 (2)", - "IA-2 (3)", - "IA-2 (4)" + "AU-5 a" ], "host": null }, - "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238210.rb", + "ref": "./controls/SV-238243.rb", "line": 1 }, - "id": "SV-238210" + "id": "SV-238243" }, { - "title": "The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ", - "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238378 ", - "rid": "SV-238378r832971_rule ", - "stig_id": "UBTU-20-010458 ", - "fix_id": "F-41547r832970_fix ", + "gtitle": "SRG-OS-000477-GPOS-00222 ", + "gid": "V-238318 ", + "rid": "SV-238318r654129_rule ", + "stig_id": "UBTU-20-010296 ", + "fix_id": "F-41487r654128_fix ", "cci": [ - "CCI-001499" + "CCI-000172" ], "nist": [ - "CM-5 (6)" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238378.rb", + "ref": "./controls/SV-238318.rb", "line": 1 }, - "id": "SV-238378" + "id": "SV-238318" }, { - "title": "The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ", - "desc": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.", + "title": "The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ", + "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", "descriptions": { - "default": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.", - "check": "Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding.", - "fix": "Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600" + "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "check": "Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding.", + "fix": "Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000279-GPOS-00109 ", - "gid": "V-238207 ", - "rid": "SV-238207r853404_rule ", - "stig_id": "UBTU-20-010013 ", - "fix_id": "F-41376r653795_fix ", + "gtitle": "SRG-OS-000297-GPOS-00115 ", + "gid": "V-238354 ", + "rid": "SV-238354r853429_rule ", + "stig_id": "UBTU-20-010433 ", + "fix_id": "F-41523r654236_fix ", "cci": [ - "CCI-002361" + "CCI-002314" ], "nist": [ - "AC-12" + "AC-17 (1)" ], "host": null, "container": null }, - "code": "control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n tag 'host', 'container'\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n", + "code": "control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238207.rb", + "ref": "./controls/SV-238354.rb", "line": 1 }, - "id": "SV-238207" + "id": "SV-238354" }, { - "title": "The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ", - "desc": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.", + "title": "The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ", + "desc": "Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.", "descriptions": { - "default": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.", - "check": "Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires." + "default": "Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.", + "check": "Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000118-GPOS-00060 ", - "gid": "V-238330 ", - "rid": "SV-238330r654165_rule ", - "stig_id": "UBTU-20-010409 ", - "fix_id": "F-41499r654164_fix ", + "gtitle": "SRG-OS-000163-GPOS-00072 ", + "gid": "V-238213 ", + "rid": "SV-238213r858523_rule ", + "stig_id": "UBTU-20-010037 ", + "fix_id": "F-41382r653813_fix ", "cci": [ - "CCI-000795" + "CCI-001133" ], "nist": [ - "IA-4 e" + "SC-10" ], "host": null, "container": null }, - "code": "control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag 'host', 'container'\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host', 'container'\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238330.rb", + "ref": "./controls/SV-238213.rb", "line": 1 }, - "id": "SV-238330" + "id": "SV-238213" }, { - "title": "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ", - "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.", + "title": "The Ubuntu operating system must enforce a minimum 15-character password length. ", + "desc": "The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.", "descriptions": { - "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.", - "check": "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" + "default": "The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.", + "check": "Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000076-GPOS-00044 ", - "gid": "V-238203 ", - "rid": "SV-238203r653784_rule ", - "stig_id": "UBTU-20-010008 ", - "fix_id": "F-41372r653783_fix ", + "severity": "medium ", + "gtitle": "SRG-OS-000078-GPOS-00046 ", + "gid": "V-238225 ", + "rid": "SV-238225r832942_rule ", + "stig_id": "UBTU-20-010054 ", + "fix_id": "F-41394r653849_fix ", "cci": [ - "CCI-000199" + "CCI-000205" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", + "code": "control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238203.rb", + "ref": "./controls/SV-238225.rb", "line": 1 }, - "id": "SV-238203" + "id": "SV-238225" }, { - "title": "The Ubuntu operating system must have system commands owned by root or a system account. ", - "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "title": "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ", + "desc": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", - "check": "Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding.", - "fix": "Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]" + "default": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", + "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000259-GPOS-00100 ", - "gid": "V-238377 ", - "rid": "SV-238377r832968_rule ", - "stig_id": "UBTU-20-010457 ", - "fix_id": "F-41546r832967_fix ", + "gtitle": "SRG-OS-000404-GPOS-00183 ", + "gid": "V-238365 ", + "rid": "SV-238365r853442_rule ", + "stig_id": "UBTU-20-010444 ", + "fix_id": "F-41534r654269_fix ", "cci": [ - "CCI-001499" + "CCI-002475" ], "nist": [ - "CM-5 (6)" + "SC-28 (1)" ], "host": null, "container": null }, - "code": "control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", "source_location": { - "ref": "./controls/SV-238377.rb", + "ref": "./controls/SV-238365.rb", "line": 1 }, - "id": "SV-238377" + "id": "SV-238365" }, { - "title": "The Ubuntu operating system must have an application firewall enabled. ", - "desc": "Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.", + "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.", - "check": "Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding.", - "fix": "Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000480-GPOS-00232 ", - "gid": "V-238374 ", - "rid": "SV-238374r654297_rule ", - "stig_id": "UBTU-20-010454 ", - "fix_id": "F-41543r654296_fix ", + "gtitle": "SRG-OS-000477-GPOS-00222 ", + "gid": "V-238319 ", + "rid": "SV-238319r654132_rule ", + "stig_id": "UBTU-20-010297 ", + "fix_id": "F-41488r654131_fix ", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238374.rb", + "ref": "./controls/SV-238319.rb", "line": 1 }, - "id": "SV-238374" + "id": "SV-238319" }, { - "title": "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ", - "desc": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", - "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding.", - "fix": "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000023-GPOS-00006 ", - "gid": "V-238198 ", - "rid": "SV-238198r653769_rule ", - "stig_id": "UBTU-20-010003 ", - "fix_id": "F-41367r653768_fix ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238288 ", + "rid": "SV-238288r833012_rule ", + "stig_id": "UBTU-20-010172 ", + "fix_id": "F-41457r832949_fix ", "cci": [ - "CCI-000048" + "CCI-000172" ], "nist": [ - "AC-8 a" + "AU-12 c" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host', 'container'\n\n expected_banner_text = input('banner_text')\n clean_banner = expected_banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n actual_banner_text = parse_config_file('/etc/gdm3/greeter.dconf-defaults').params['org/gnome/login-screen']['banner-message-text']\n clean_actual_banner = actual_banner_text.gsub(/[\\r\\n\\s]/, '').gsub(/\\\\n/, '').gsub(/'/, '')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { clean_actual_banner }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n", + "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238198.rb", + "ref": "./controls/SV-238288.rb", "line": 1 }, - "id": "SV-238198" + "id": "SV-238288" }, { - "title": "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ", - "desc": "Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.", + "title": "The Ubuntu operating system must configure audit tools to be owned by root. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", "descriptions": { - "default": "Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.", - "check": "Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding.", - "fix": "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS." + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding.", + "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high ", - "gtitle": "SRG-OS-000396-GPOS-00176 ", + "severity": "medium ", + "gtitle": "SRG-OS-000256-GPOS-00097 ", "satisfies": [ - "SRG-OS-000396-GPOS-00176", - "SRG-OS-000478-GPOS-00223" + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098" ], - "gid": "V-238363 ", - "rid": "SV-238363r853438_rule ", - "stig_id": "UBTU-20-010442 ", - "fix_id": "F-41532r654263_fix ", + "gid": "V-238301 ", + "rid": "SV-238301r654078_rule ", + "stig_id": "UBTU-20-010200 ", + "fix_id": "F-41470r654077_fix ", "cci": [ - "CCI-002450" + "CCI-001493", + "CCI-001494" ], "nist": [ - "SC-13 b" + "AU-9 a", + "AU-9" ], "host": null }, - "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238363.rb", + "ref": "./controls/SV-238301.rb", "line": 1 }, - "id": "SV-238363" + "id": "SV-238301" }, { - "title": "The Ubuntu operating system must configure the audit tools to be group-owned by root. ", - "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "title": "The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ", + "desc": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", - "check": "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding.", - "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root." + "default": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.", + "check": "Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding.", + "fix": "Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000256-GPOS-00097 ", - "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098" - ], - "gid": "V-238302 ", - "rid": "SV-238302r654081_rule ", - "stig_id": "UBTU-20-010201 ", - "fix_id": "F-41471r654080_fix ", + "severity": "high ", + "gtitle": "SRG-OS-000134-GPOS-00068 ", + "gid": "V-238206 ", + "rid": "SV-238206r653793_rule ", + "stig_id": "UBTU-20-010012 ", + "fix_id": "F-41375r653792_fix ", "cci": [ - "CCI-001493", - "CCI-001494" + "CCI-001084" ], "nist": [ - "AU-9 a", - "AU-9" + "SC-3" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host', 'container'\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238302.rb", + "ref": "./controls/SV-238206.rb", "line": 1 }, - "id": "SV-238302" + "id": "SV-238206" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ", + "desc": "Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.", + "check": "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238289 ", - "rid": "SV-238289r654042_rule ", - "stig_id": "UBTU-20-010173 ", - "fix_id": "F-41458r654041_fix ", + "gtitle": "SRG-OS-000205-GPOS-00083 ", + "gid": "V-238337 ", + "rid": "SV-238337r654186_rule ", + "stig_id": "UBTU-20-010416 ", + "fix_id": "F-41506r654185_fix ", "cci": [ - "CCI-000172" + "CCI-001312" ], "nist": [ - "AU-12 c" + "SI-11 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n tag 'host', 'container'\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238289.rb", + "ref": "./controls/SV-238337.rb", "line": 1 }, - "id": "SV-238289" + "id": "SV-238337" }, { - "title": "The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ", - "desc": "The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.", + "title": "The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.", "descriptions": { - "default": "The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.", - "check": "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10" + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding.", + "fix": "Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory." }, "impact": 0.3, "refs": [], "tags": { "severity": "low ", - "gtitle": "SRG-OS-000027-GPOS-00008 ", - "gid": "V-238323 ", - "rid": "SV-238323r654144_rule ", - "stig_id": "UBTU-20-010400 ", - "fix_id": "F-41492r654143_fix ", + "gtitle": "SRG-OS-000479-GPOS-00224 ", + "gid": "V-238321 ", + "rid": "SV-238321r853428_rule ", + "stig_id": "UBTU-20-010300 ", + "fix_id": "F-41490r654137_fix ", "cci": [ - "CCI-000054" + "CCI-001851" ], "nist": [ - "AC-10" + "AU-4 (1)" ], "host": null, "container": null }, - "code": "control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag 'host', 'container'\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", + "code": "control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host', 'container'\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238323.rb", + "ref": "./controls/SV-238321.rb", "line": 1 }, - "id": "SV-238323" + "id": "SV-238321" }, { - "title": "The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ", - "desc": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.", + "title": "The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ", + "desc": "Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.", - "check": "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service" - }, - "impact": 0.5, + "default": "Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.", + "check": "Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding.", + "fix": "Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]" + }, + "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000424-GPOS-00188 ", - "satisfies": [ - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173" + "gtitle": "SRG-OS-000380-GPOS-00165 ", + "gid": "V-238361 ", + "rid": "SV-238361r853436_rule ", + "stig_id": "UBTU-20-010440 ", + "fix_id": "F-41530r654257_fix ", + "cci": [ + "CCI-002041" ], - "gid": "V-238216 ", - "rid": "SV-238216r860820_rule ", - "stig_id": "UBTU-20-010043 ", - "fix_id": "F-41385r653822_fix ", + "nist": [ + "IA-5 (1) (f)" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n tag 'host', 'container'\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238361.rb", + "line": 1 + }, + "id": "SV-238361" + }, + { + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.", + "descriptions": { + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.", + "check": "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000266-GPOS-00101 ", + "gid": "V-238226 ", + "rid": "SV-238226r653853_rule ", + "stig_id": "UBTU-20-010055 ", + "fix_id": "F-41395r653852_fix ", "cci": [ - "CCI-001453", - "CCI-002421", - "CCI-002890" + "CCI-001619" ], "nist": [ - "AC-17 (2)", - "SC-8 (1)", - "MA-4 (6)" + "IA-5 (1) (a)" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238226.rb", + "line": 1 + }, + "id": "SV-238226" + }, + { + "title": "The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ", + "desc": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.", + "descriptions": { + "default": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.", + "check": "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000066-GPOS-00034 ", + "gid": "V-238229 ", + "rid": "SV-238229r653862_rule ", + "stig_id": "UBTU-20-010060 ", + "fix_id": "F-41398r653861_fix ", + "cci": [ + "CCI-000185" + ], + "nist": [ + "IA-5 (2) (b) (1)" ], "host": null }, - "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", + "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238216.rb", + "ref": "./controls/SV-238229.rb", "line": 1 }, - "id": "SV-238216" + "id": "SV-238229" + }, + { + "title": "The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ", + "desc": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "descriptions": { + "default": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "check": "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding.", + "fix": "The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000446-GPOS-00200 ", + "gid": "V-238236 ", + "rid": "SV-238236r853415_rule ", + "stig_id": "UBTU-20-010074 ", + "fix_id": "F-41405r653882_fix ", + "cci": [ + "CCI-002699" + ], + "nist": [ + "SI-6 b" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n tag 'host', 'container'\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238236.rb", + "line": 1 + }, + "id": "SV-238236" }, { "title": "The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ", @@ -5235,70 +5386,100 @@ "id": "SV-238306" }, { - "title": "The Ubuntu operating system must have directories that contain system commands owned by\nroot. ", - "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "title": "The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ", + "desc": "Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", - "check": "Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding.", - "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;" + "default": "Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.", + "check": "Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000258-GPOS-00099 ", - "gid": "V-238345 ", - "rid": "SV-238345r654210_rule ", - "stig_id": "UBTU-20-010424 ", - "fix_id": "F-41514r654209_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238373 ", + "rid": "SV-238373r858539_rule ", + "stig_id": "UBTU-20-010453 ", + "fix_id": "F-41542r654293_fix ", "cci": [ - "CCI-001495" + "CCI-000052" ], "nist": [ - "AU-9" + "AC-9" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238345.rb", + "ref": "./controls/SV-238373.rb", "line": 1 }, - "id": "SV-238345" + "id": "SV-238373" }, { - "title": "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ", - "desc": "When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.", + "title": "The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ", + "desc": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", "descriptions": { - "default": "When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.", - "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", - "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service" + "default": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", + "check": "Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-238220 ", - "rid": "SV-238220r858535_rule ", - "stig_id": "UBTU-20-010049 ", - "fix_id": "F-41389r653834_fix ", + "gtitle": "SRG-OS-000433-GPOS-00192 ", + "gid": "V-238368 ", + "rid": "SV-238368r853445_rule ", + "stig_id": "UBTU-20-010447 ", + "fix_id": "F-41537r654278_fix ", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b" + "SI-16" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238220.rb", + "ref": "./controls/SV-238368.rb", "line": 1 }, - "id": "SV-238220" + "id": "SV-238368" + }, + { + "title": "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ", + "desc": "If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.", + "descriptions": { + "default": "If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.", + "check": "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available.", + "fix": "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity." + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000343-GPOS-00134 ", + "gid": "V-238307 ", + "rid": "SV-238307r853425_rule ", + "stig_id": "UBTU-20-010217 ", + "fix_id": "F-41476r654095_fix ", + "cci": [ + "CCI-001855" + ], + "nist": [ + "AU-5 (1)" + ], + "host": null + }, + "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238307.rb", + "line": 1 + }, + "id": "SV-238307" }, { "title": "The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ", @@ -5334,87 +5515,87 @@ "id": "SV-238369" }, { - "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "title": "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ", + "desc": "Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", - "fix": "Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + "default": "Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding.", + "fix": "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000477-GPOS-00222 ", - "gid": "V-238318 ", - "rid": "SV-238318r654129_rule ", - "stig_id": "UBTU-20-010296 ", - "fix_id": "F-41487r654128_fix ", + "gtitle": "SRG-OS-000278-GPOS-00108 ", + "gid": "V-238303 ", + "rid": "SV-238303r654084_rule ", + "stig_id": "UBTU-20-010205 ", + "fix_id": "F-41472r654083_fix ", "cci": [ - "CCI-000172" + "CCI-001496" ], "nist": [ - "AU-12 c" + "AU-9 (3)" ], "host": null }, - "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238318.rb", + "ref": "./controls/SV-238303.rb", "line": 1 }, - "id": "SV-238318" + "id": "SV-238303" }, { - "title": "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ", - "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ", + "desc": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding.", - "fix": "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog" + "default": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.", + "check": "Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000206-GPOS-00084 ", - "gid": "V-238343 ", - "rid": "SV-238343r654204_rule ", - "stig_id": "UBTU-20-010422 ", - "fix_id": "F-41512r654203_fix ", + "gtitle": "SRG-OS-000126-GPOS-00066 ", + "gid": "V-238212 ", + "rid": "SV-238212r858521_rule ", + "stig_id": "UBTU-20-010036 ", + "fix_id": "F-41381r653810_fix ", "cci": [ - "CCI-001314" + "CCI-000879" ], "nist": [ - "SI-11 b" + "MA-4 e" ], "host": null, "container": null }, - "code": "control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", + "code": "control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n tag 'host', 'container'\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238343.rb", + "ref": "./controls/SV-238212.rb", "line": 1 }, - "id": "SV-238343" + "id": "SV-238212" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238282 ", - "rid": "SV-238282r654021_rule ", - "stig_id": "UBTU-20-010166 ", - "fix_id": "F-41451r654020_fix ", + "gid": "V-238278 ", + "rid": "SV-238278r654009_rule ", + "stig_id": "UBTU-20-010162 ", + "fix_id": "F-41447r654008_fix ", "cci": [ "CCI-000172" ], @@ -5423,30 +5604,30 @@ ], "host": null }, - "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238282.rb", + "ref": "./controls/SV-238278.rb", "line": 1 }, - "id": "SV-238282" + "id": "SV-238278" }, { - "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ", "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", "gtitle": "SRG-OS-000064-GPOS-00033 ", - "gid": "V-238281 ", - "rid": "SV-238281r654018_rule ", - "stig_id": "UBTU-20-010165 ", - "fix_id": "F-41450r654017_fix ", + "gid": "V-238291 ", + "rid": "SV-238291r654048_rule ", + "stig_id": "UBTU-20-010175 ", + "fix_id": "F-41460r654047_fix ", "cci": [ "CCI-000172" ], @@ -5455,20 +5636,53 @@ ], "host": null }, - "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238281.rb", + "ref": "./controls/SV-238291.rb", "line": 1 }, - "id": "SV-238281" + "id": "SV-238291" }, { - "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ", + "title": "The Ubuntu operating system must have an application firewall enabled. ", + "desc": "Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.", + "descriptions": { + "default": "Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.", + "check": "Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding.", + "fix": "Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00232 ", + "gid": "V-238374 ", + "rid": "SV-238374r654297_rule ", + "stig_id": "UBTU-20-010454 ", + "fix_id": "F-41543r654296_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ], + "host": null, + "container": null + }, + "code": "control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238374.rb", + "line": 1 + }, + "id": "SV-238374" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ", "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", "descriptions": { "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", - "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" }, "impact": 0.5, "refs": [], @@ -5484,10 +5698,10 @@ "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221" ], - "gid": "V-238242 ", - "rid": "SV-238242r853420_rule ", - "stig_id": "UBTU-20-010104 ", - "fix_id": "F-41411r653900_fix ", + "gid": "V-238240 ", + "rid": "SV-238240r853418_rule ", + "stig_id": "UBTU-20-010102 ", + "fix_id": "F-41409r653894_fix ", "cci": [ "CCI-000018", "CCI-000172", @@ -5502,127 +5716,30 @@ ], "host": null }, - "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238242.rb", - "line": 1 - }, - "id": "SV-238242" - }, - { - "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ", - "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", - "check": "Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", - "fix": "Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load" - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000477-GPOS-00222 ", - "gid": "V-238319 ", - "rid": "SV-238319r654132_rule ", - "stig_id": "UBTU-20-010297 ", - "fix_id": "F-41488r654131_fix ", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ], - "host": null - }, - "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238319.rb", - "line": 1 - }, - "id": "SV-238319" - }, - { - "title": "The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ", - "desc": "If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.", - "descriptions": { - "default": "If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.", - "check": "Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding.", - "fix": "Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit" - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000059-GPOS-00029 ", - "gid": "V-238248 ", - "rid": "SV-238248r653919_rule ", - "stig_id": "UBTU-20-010128 ", - "fix_id": "F-41417r653918_fix ", - "cci": [ - "CCI-000164" - ], - "nist": [ - "AU-9 a" - ], - "host": null - }, - "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238248.rb", - "line": 1 - }, - "id": "SV-238248" - }, - { - "title": "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ", - "desc": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", - "descriptions": { - "default": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", - "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", - "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000404-GPOS-00183 ", - "gid": "V-238365 ", - "rid": "SV-238365r853442_rule ", - "stig_id": "UBTU-20-010444 ", - "fix_id": "F-41534r654269_fix ", - "cci": [ - "CCI-002475" - ], - "nist": [ - "SC-28 (1)" - ], - "host": null, - "container": null - }, - "code": "control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238365.rb", + "ref": "./controls/SV-238240.rb", "line": 1 }, - "id": "SV-238365" + "id": "SV-238240" }, { - "title": "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.", + "title": "The Ubuntu operating system must not have accounts configured with blank or null passwords. ", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.", - "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload" + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", + "fix": "Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]" }, "impact": 0.7, "refs": [], "tags": { "severity": "high ", "gtitle": "SRG-OS-000480-GPOS-00227 ", - "gid": "V-238380 ", - "rid": "SV-238380r832974_rule ", - "stig_id": "UBTU-20-010460 ", - "fix_id": "F-41549r832973_fix ", + "gid": "V-251503 ", + "rid": "SV-251503r808506_rule ", + "stig_id": "UBTU-20-010462 ", + "fix_id": "F-54892r808505_fix ", "cci": [ "CCI-000366" ], @@ -5632,317 +5749,200 @@ "host": null, "container": null }, - "code": "control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", + "code": "control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238380.rb", + "ref": "./controls/SV-251503.rb", "line": 1 }, - "id": "SV-238380" + "id": "SV-251503" }, { - "title": "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ", - "desc": "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.", + "title": "The Ubuntu operating system must be configured to use TCP syncookies. ", + "desc": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.", "descriptions": { - "default": "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.", - "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding.", - "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO." + "default": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.", + "check": "Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000184-GPOS-00078 ", - "gid": "V-238334 ", - "rid": "SV-238334r654177_rule ", - "stig_id": "UBTU-20-010413 ", - "fix_id": "F-41503r654176_fix ", + "gtitle": "SRG-OS-000142-GPOS-00071 ", + "gid": "V-238333 ", + "rid": "SV-238333r654174_rule ", + "stig_id": "UBTU-20-010412 ", + "fix_id": "F-41502r654173_fix ", "cci": [ - "CCI-001190" + "CCI-001095" ], "nist": [ - "SC-24" + "SC-5 (2)" ], "host": null, "container": null }, - "code": "control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n tag 'host', 'container'\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", + "code": "control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n tag 'host', 'container'\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238334.rb", + "ref": "./controls/SV-238333.rb", "line": 1 }, - "id": "SV-238334" + "id": "SV-238333" }, { - "title": "The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ", - "desc": "Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.", + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", "descriptions": { - "default": "Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.", - "check": "Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding.", - "fix": "Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load" + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000122-GPOS-00063 ", - "satisfies": [ - "SRG-OS-000122-GPOS-00063", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000038-GPOS-00016", - "SRG-OS-000039-GPOS-00017", - "SRG-OS-000040-GPOS-00018", - "SRG-OS-000041-GPOS-00019", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000042-GPOS-00021", - "SRG-OS-000051-GPOS-00024", - "SRG-OS-000054-GPOS-00025", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000337-GPOS-00129", - "SRG-OS-000348-GPOS-00136", - "SRG-OS-000349-GPOS-00137", - "SRG-OS-000350-GPOS-00138", - "SRG-OS-000351-GPOS-00139", - "SRG-OS-000352-GPOS-00140", - "SRG-OS-000353-GPOS-00141", - "SRG-OS-000354-GPOS-00142", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-238298 ", - "rid": "SV-238298r853421_rule ", - "stig_id": "UBTU-20-010182 ", - "fix_id": "F-41467r654068_fix ", - "cci": [ - "CCI-000130", - "CCI-000131", - "CCI-000132", - "CCI-000133", - "CCI-000134", - "CCI-000135", - "CCI-000154", - "CCI-000158", - "CCI-000169", - "CCI-000172", - "CCI-001875", - "CCI-001876", - "CCI-001877", - "CCI-001878", - "CCI-001879", - "CCI-001880", - "CCI-001881", - "CCI-001882", - "CCI-001914" - ], - "nist": [ - "AU-3 a", - "AU-3 b", - "AU-3 c", - "AU-3 d", - "AU-3 e", - "AU-3 (1)", - "AU-6 (4)", - "AU-7 (1)", - "AU-12 a", - "AU-12 c", - "AU-7 a", - "AU-7 b", - "AU-12 (3)" - ], - "host": null - }, - "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238298.rb", - "line": 1 - }, - "id": "SV-238298" - }, - { - "title": "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ", - "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.", - "descriptions": { - "default": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.", - "check": "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding.", - "fix": "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000" - }, - "impact": 0.3, - "refs": [], - "tags": { - "severity": "low ", - "gtitle": "SRG-OS-000077-GPOS-00045 ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", "satisfies": [ - "SRG-OS-000077-GPOS-00045", - "SRG-OS-000073-GPOS-00041" - ], - "gid": "V-238234 ", - "rid": "SV-238234r832945_rule ", - "stig_id": "UBTU-20-010070 ", - "fix_id": "F-41403r832944_fix ", - "cci": [ - "CCI-000196", - "CCI-000200" - ], - "nist": [ - "IA-5 (1) (c)", - "IA-5 (1) (e)" + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206" ], - "host": null - }, - "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n", - "source_location": { - "ref": "./controls/SV-238234.rb", - "line": 1 - }, - "id": "SV-238234" - }, - { - "title": "The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ", - "desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", - "descriptions": { - "default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", - "check": "Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000377-GPOS-00162 ", - "gid": "V-238232 ", - "rid": "SV-238232r853412_rule ", - "stig_id": "UBTU-20-010065 ", - "fix_id": "F-41401r653870_fix ", + "gid": "V-238268 ", + "rid": "SV-238268r808480_rule ", + "stig_id": "UBTU-20-010152 ", + "fix_id": "F-41437r808479_fix ", "cci": [ - "CCI-001954" + "CCI-000172" ], "nist": [ - "IA-2 (12)" + "AU-12 c" ], "host": null }, - "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { - "ref": "./controls/SV-238232.rb", + "ref": "./controls/SV-238268.rb", "line": 1 }, - "id": "SV-238232" + "id": "SV-238268" }, { - "title": "The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ", - "desc": "Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.", + "title": "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ", + "desc": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.", "descriptions": { - "default": "Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.", - "check": "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding.", - "fix": "If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name" + "default": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.", + "check": "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II.", + "fix": "The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver." }, "impact": 0.3, "refs": [], "tags": { "severity": "low ", - "gtitle": "SRG-OS-000123-GPOS-00064 ", - "gid": "V-238331 ", - "rid": "SV-238331r654168_rule ", - "stig_id": "UBTU-20-010410 ", - "fix_id": "F-41500r654167_fix ", + "gtitle": "SRG-OS-000191-GPOS-00080 ", + "gid": "V-238336 ", + "rid": "SV-238336r858538_rule ", + "stig_id": "UBTU-20-010415 ", + "fix_id": "F-41505r858537_fix ", "cci": [ - "CCI-001682" + "CCI-001233" ], "nist": [ - "AC-2 (2)" + "SI-2 (2)" ], "host": null, "container": null }, - "code": "control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n tag 'host', 'container'\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n", + "code": "control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n tag 'host', 'container'\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238331.rb", + "ref": "./controls/SV-238336.rb", "line": 1 }, - "id": "SV-238331" + "id": "SV-238336" }, { - "title": "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ", - "desc": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "title": "The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ", + "desc": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.", "descriptions": { - "default": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", - "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", - "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." + "default": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.", + "check": "Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding.", + "fix": "Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000405-GPOS-00184 ", - "gid": "V-238366 ", - "rid": "SV-238366r853443_rule ", - "stig_id": "UBTU-20-010445 ", - "fix_id": "F-41535r654272_fix ", + "gtitle": "SRG-OS-000403-GPOS-00182 ", + "gid": "V-238364 ", + "rid": "SV-238364r860824_rule ", + "stig_id": "UBTU-20-010443 ", + "fix_id": "F-41533r860823_fix ", "cci": [ - "CCI-002476" + "CCI-002470" ], "nist": [ - "SC-28 (1)" + "SC-23 (5)" ], "host": null, "container": null }, - "code": "control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "code": "control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n tag 'host', 'container'\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n", "source_location": { - "ref": "./controls/SV-238366.rb", + "ref": "./controls/SV-238364.rb", "line": 1 }, - "id": "SV-238366" + "id": "SV-238364" }, { - "title": "The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ", - "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "title": "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ", + "desc": "Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.", "descriptions": { - "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", - "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding.", - "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" + "default": "Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.", + "check": "Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding.", + "fix": "Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium ", - "gtitle": "SRG-OS-000063-GPOS-00032 ", - "gid": "V-238250 ", - "rid": "SV-238250r653925_rule ", - "stig_id": "UBTU-20-010134 ", - "fix_id": "F-41419r653924_fix ", + "gtitle": "SRG-OS-000420-GPOS-00186 ", + "gid": "V-238367 ", + "rid": "SV-238367r853444_rule ", + "stig_id": "UBTU-20-010446 ", + "fix_id": "F-41536r654275_fix ", "cci": [ - "CCI-000171" + "CCI-002385" ], "nist": [ - "AU-12 b" + "SC-5 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n tag 'host', 'container'\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", "source_location": { - "ref": "./controls/SV-238250.rb", + "ref": "./controls/SV-238367.rb", "line": 1 }, - "id": "SV-238250" + "id": "SV-238367" }, { - "title": "The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ", - "desc": "If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.", + "title": "The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ", + "desc": "Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.", "descriptions": { - "default": "If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.", - "check": "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding.", - "fix": "If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name" + "default": "Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.", + "check": "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding.", + "fix": "If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium ", - "gtitle": "SRG-OS-000002-GPOS-00002 ", - "gid": "V-238196 ", - "rid": "SV-238196r653763_rule ", - "stig_id": "UBTU-20-010000 ", - "fix_id": "F-41365r653762_fix ", + "severity": "low ", + "gtitle": "SRG-OS-000123-GPOS-00064 ", + "gid": "V-238331 ", + "rid": "SV-238331r654168_rule ", + "stig_id": "UBTU-20-010410 ", + "fix_id": "F-41500r654167_fix ", "cci": [ - "CCI-000016" + "CCI-001682" ], "nist": [ "AC-2 (2)" @@ -5950,1183 +5950,1183 @@ "host": null, "container": null }, - "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n tag 'host', 'container'\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", + "code": "control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n tag 'host', 'container'\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n", "source_location": { - "ref": "./controls/SV-238196.rb", + "ref": "./controls/SV-238331.rb", "line": 1 }, - "id": "SV-238196" + "id": "SV-238331" } ], "groups": [ { "title": null, "controls": [ - "SV-238344" + "SV-238232" ], - "id": "controls/SV-238344.rb" + "id": "controls/SV-238232.rb" }, { "title": null, "controls": [ - "SV-238349" + "SV-238326" ], - "id": "controls/SV-238349.rb" + "id": "controls/SV-238326.rb" }, { "title": null, "controls": [ - "SV-238255" + "SV-238362" ], - "id": "controls/SV-238255.rb" + "id": "controls/SV-238362.rb" }, { "title": null, "controls": [ - "SV-238321" + "SV-238202" ], - "id": "controls/SV-238321.rb" + "id": "controls/SV-238202.rb" }, { "title": null, "controls": [ - "SV-238223" + "SV-238350" ], - "id": "controls/SV-238223.rb" + "id": "controls/SV-238350.rb" }, { "title": null, "controls": [ - "SV-238264" + "SV-238302" ], - "id": "controls/SV-238264.rb" + "id": "controls/SV-238302.rb" }, { "title": null, "controls": [ - "SV-238238" + "SV-238247" ], - "id": "controls/SV-238238.rb" + "id": "controls/SV-238247.rb" }, { "title": null, "controls": [ - "SV-238268" + "SV-238292" ], - "id": "controls/SV-238268.rb" + "id": "controls/SV-238292.rb" }, { "title": null, "controls": [ - "SV-238287" + "SV-238233" ], - "id": "controls/SV-238287.rb" + "id": "controls/SV-238233.rb" }, { "title": null, "controls": [ - "SV-238350" + "SV-238351" ], - "id": "controls/SV-238350.rb" + "id": "controls/SV-238351.rb" }, { "title": null, "controls": [ - "SV-251504" + "SV-238294" ], - "id": "controls/SV-251504.rb" + "id": "controls/SV-238294.rb" }, { "title": null, "controls": [ - "SV-238362" + "SV-238234" ], - "id": "controls/SV-238362.rb" + "id": "controls/SV-238234.rb" }, { "title": null, "controls": [ - "SV-238271" + "SV-238245" ], - "id": "controls/SV-238271.rb" + "id": "controls/SV-238245.rb" }, { "title": null, "controls": [ - "SV-238332" + "SV-238210" ], - "id": "controls/SV-238332.rb" + "id": "controls/SV-238210.rb" }, { "title": null, "controls": [ - "SV-238240" + "SV-238338" ], - "id": "controls/SV-238240.rb" + "id": "controls/SV-238338.rb" }, { "title": null, "controls": [ - "SV-238206" + "SV-238238" ], - "id": "controls/SV-238206.rb" + "id": "controls/SV-238238.rb" }, { "title": null, "controls": [ - "SV-238372" + "SV-238342" ], - "id": "controls/SV-238372.rb" + "id": "controls/SV-238342.rb" }, { "title": null, "controls": [ - "SV-238231" + "SV-238320" ], - "id": "controls/SV-238231.rb" + "id": "controls/SV-238320.rb" }, { "title": null, "controls": [ - "SV-238229" + "SV-238335" ], - "id": "controls/SV-238229.rb" + "id": "controls/SV-238335.rb" }, { "title": null, "controls": [ - "SV-238239" + "SV-238204" ], - "id": "controls/SV-238239.rb" + "id": "controls/SV-238204.rb" }, { "title": null, "controls": [ - "SV-238245" + "SV-238286" ], - "id": "controls/SV-238245.rb" + "id": "controls/SV-238286.rb" }, { "title": null, "controls": [ - "SV-238209" + "SV-238330" ], - "id": "controls/SV-238209.rb" + "id": "controls/SV-238330.rb" }, { "title": null, "controls": [ - "SV-252704" + "SV-238295" ], - "id": "controls/SV-252704.rb" + "id": "controls/SV-238295.rb" }, { "title": null, "controls": [ - "SV-238233" + "SV-238366" ], - "id": "controls/SV-238233.rb" + "id": "controls/SV-238366.rb" }, { "title": null, "controls": [ - "SV-238226" + "SV-238346" ], - "id": "controls/SV-238226.rb" + "id": "controls/SV-238346.rb" }, { "title": null, "controls": [ - "SV-238361" + "SV-238356" ], - "id": "controls/SV-238361.rb" + "id": "controls/SV-238356.rb" }, { "title": null, "controls": [ - "SV-238364" + "SV-238315" ], - "id": "controls/SV-238364.rb" + "id": "controls/SV-238315.rb" }, { "title": null, "controls": [ - "SV-238335" + "SV-238264" ], - "id": "controls/SV-238335.rb" + "id": "controls/SV-238264.rb" }, { "title": null, "controls": [ - "SV-238243" + "SV-238309" ], - "id": "controls/SV-238243.rb" + "id": "controls/SV-238309.rb" }, { "title": null, "controls": [ - "SV-238214" + "SV-238231" ], - "id": "controls/SV-238214.rb" + "id": "controls/SV-238231.rb" }, { "title": null, "controls": [ - "SV-238291" + "SV-238289" ], - "id": "controls/SV-238291.rb" + "id": "controls/SV-238289.rb" }, { "title": null, "controls": [ - "SV-238339" + "SV-252704" ], - "id": "controls/SV-238339.rb" + "id": "controls/SV-252704.rb" }, { "title": null, "controls": [ - "SV-238202" + "SV-238209" ], - "id": "controls/SV-238202.rb" + "id": "controls/SV-238209.rb" }, { "title": null, "controls": [ - "SV-238215" + "SV-238256" ], - "id": "controls/SV-238215.rb" + "id": "controls/SV-238256.rb" }, { "title": null, "controls": [ - "SV-238357" + "SV-238242" ], - "id": "controls/SV-238357.rb" + "id": "controls/SV-238242.rb" }, { "title": null, "controls": [ - "SV-238299" + "SV-238380" ], - "id": "controls/SV-238299.rb" + "id": "controls/SV-238380.rb" }, { "title": null, "controls": [ - "SV-238356" + "SV-238198" ], - "id": "controls/SV-238356.rb" + "id": "controls/SV-238198.rb" }, { "title": null, "controls": [ - "SV-238286" + "SV-238308" ], - "id": "controls/SV-238286.rb" + "id": "controls/SV-238308.rb" }, { "title": null, "controls": [ - "SV-238246" + "SV-238341" ], - "id": "controls/SV-238246.rb" + "id": "controls/SV-238341.rb" }, { "title": null, "controls": [ - "SV-238288" + "SV-238329" ], - "id": "controls/SV-238288.rb" + "id": "controls/SV-238329.rb" }, { "title": null, "controls": [ - "SV-238222" + "SV-238227" ], - "id": "controls/SV-238222.rb" + "id": "controls/SV-238227.rb" }, { "title": null, "controls": [ - "SV-238247" + "SV-238357" ], - "id": "controls/SV-238247.rb" + "id": "controls/SV-238357.rb" }, { "title": null, "controls": [ - "SV-238228" + "SV-238219" ], - "id": "controls/SV-238228.rb" + "id": "controls/SV-238219.rb" }, { "title": null, "controls": [ - "SV-238199" + "SV-238347" ], - "id": "controls/SV-238199.rb" + "id": "controls/SV-238347.rb" }, { "title": null, "controls": [ - "SV-238333" + "SV-238344" ], - "id": "controls/SV-238333.rb" + "id": "controls/SV-238344.rb" }, { "title": null, "controls": [ - "SV-238304" + "SV-238290" ], - "id": "controls/SV-238304.rb" + "id": "controls/SV-238290.rb" }, { "title": null, "controls": [ - "SV-238258" + "SV-238298" ], - "id": "controls/SV-238258.rb" + "id": "controls/SV-238298.rb" }, { "title": null, "controls": [ - "SV-238367" + "SV-238281" ], - "id": "controls/SV-238367.rb" + "id": "controls/SV-238281.rb" }, { "title": null, "controls": [ - "SV-238338" + "SV-238355" ], - "id": "controls/SV-238338.rb" + "id": "controls/SV-238355.rb" }, { "title": null, "controls": [ - "SV-238293" + "SV-238200" ], - "id": "controls/SV-238293.rb" + "id": "controls/SV-238200.rb" }, { "title": null, "controls": [ - "SV-238337" + "SV-238257" ], - "id": "controls/SV-238337.rb" + "id": "controls/SV-238257.rb" }, { "title": null, "controls": [ - "SV-238309" + "SV-238223" ], - "id": "controls/SV-238309.rb" + "id": "controls/SV-238223.rb" }, { "title": null, "controls": [ - "SV-238217" + "SV-238220" ], - "id": "controls/SV-238217.rb" + "id": "controls/SV-238220.rb" }, { "title": null, "controls": [ - "SV-238370" + "SV-238258" ], - "id": "controls/SV-238370.rb" + "id": "controls/SV-238258.rb" }, { "title": null, "controls": [ - "SV-238212" + "SV-238280" ], - "id": "controls/SV-238212.rb" + "id": "controls/SV-238280.rb" }, { "title": null, "controls": [ - "SV-238292" + "SV-238340" ], - "id": "controls/SV-238292.rb" + "id": "controls/SV-238340.rb" }, { "title": null, "controls": [ - "SV-251503" + "SV-238372" ], - "id": "controls/SV-251503.rb" + "id": "controls/SV-238372.rb" }, { "title": null, "controls": [ - "SV-238341" + "SV-238293" ], - "id": "controls/SV-238341.rb" + "id": "controls/SV-238293.rb" }, { "title": null, "controls": [ - "SV-238295" + "SV-238197" ], - "id": "controls/SV-238295.rb" + "id": "controls/SV-238197.rb" }, { "title": null, "controls": [ - "SV-238254" + "SV-238285" ], - "id": "controls/SV-238254.rb" + "id": "controls/SV-238285.rb" }, { "title": null, "controls": [ - "SV-238200" + "SV-238218" ], - "id": "controls/SV-238200.rb" + "id": "controls/SV-238218.rb" }, { "title": null, "controls": [ - "SV-238308" + "SV-238343" ], - "id": "controls/SV-238308.rb" + "id": "controls/SV-238343.rb" }, { "title": null, "controls": [ - "SV-238257" + "SV-238283" ], - "id": "controls/SV-238257.rb" + "id": "controls/SV-238283.rb" }, { "title": null, "controls": [ - "SV-238218" + "SV-238208" ], - "id": "controls/SV-238218.rb" + "id": "controls/SV-238208.rb" }, { "title": null, "controls": [ - "SV-238297" + "SV-238328" ], - "id": "controls/SV-238297.rb" + "id": "controls/SV-238328.rb" }, { "title": null, "controls": [ - "SV-238346" + "SV-238327" ], - "id": "controls/SV-238346.rb" + "id": "controls/SV-238327.rb" }, { "title": null, "controls": [ - "SV-238329" + "SV-238207" ], - "id": "controls/SV-238329.rb" + "id": "controls/SV-238207.rb" }, { "title": null, "controls": [ - "SV-238307" + "SV-238237" ], - "id": "controls/SV-238307.rb" + "id": "controls/SV-238237.rb" }, { "title": null, "controls": [ - "SV-238371" + "SV-238305" ], - "id": "controls/SV-238371.rb" + "id": "controls/SV-238305.rb" }, { "title": null, "controls": [ - "SV-238249" + "SV-238370" ], - "id": "controls/SV-238249.rb" + "id": "controls/SV-238370.rb" }, { "title": null, "controls": [ - "SV-238225" + "SV-238334" ], - "id": "controls/SV-238225.rb" + "id": "controls/SV-238334.rb" }, { "title": null, "controls": [ - "SV-238227" + "SV-238244" ], - "id": "controls/SV-238227.rb" + "id": "controls/SV-238244.rb" }, { "title": null, "controls": [ - "SV-238197" + "SV-238363" ], - "id": "controls/SV-238197.rb" + "id": "controls/SV-238363.rb" }, { "title": null, "controls": [ - "SV-238352" + "SV-238339" ], - "id": "controls/SV-238352.rb" + "id": "controls/SV-238339.rb" }, { "title": null, "controls": [ - "SV-238280" + "SV-238379" ], - "id": "controls/SV-238280.rb" + "id": "controls/SV-238379.rb" }, { "title": null, "controls": [ - "SV-238315" + "SV-238255" ], - "id": "controls/SV-238315.rb" + "id": "controls/SV-238255.rb" }, { "title": null, "controls": [ - "SV-238284" + "SV-238248" ], - "id": "controls/SV-238284.rb" + "id": "controls/SV-238248.rb" }, { "title": null, "controls": [ - "SV-238305" + "SV-238376" ], - "id": "controls/SV-238305.rb" + "id": "controls/SV-238376.rb" }, { "title": null, "controls": [ - "SV-238328" + "SV-238235" ], - "id": "controls/SV-238328.rb" + "id": "controls/SV-238235.rb" }, { "title": null, "controls": [ - "SV-238324" + "SV-238224" ], - "id": "controls/SV-238324.rb" + "id": "controls/SV-238224.rb" }, { "title": null, "controls": [ - "SV-238353" + "SV-238287" ], - "id": "controls/SV-238353.rb" + "id": "controls/SV-238287.rb" }, { "title": null, "controls": [ - "SV-238219" + "SV-238196" ], - "id": "controls/SV-238219.rb" + "id": "controls/SV-238196.rb" }, { "title": null, "controls": [ - "SV-238290" + "SV-238214" ], - "id": "controls/SV-238290.rb" + "id": "controls/SV-238214.rb" }, { "title": null, "controls": [ - "SV-238354" + "SV-238271" ], - "id": "controls/SV-238354.rb" + "id": "controls/SV-238271.rb" }, { "title": null, "controls": [ - "SV-238244" + "SV-238279" ], - "id": "controls/SV-238244.rb" + "id": "controls/SV-238279.rb" }, { "title": null, "controls": [ - "SV-238336" + "SV-238254" ], - "id": "controls/SV-238336.rb" + "id": "controls/SV-238254.rb" }, { "title": null, "controls": [ - "SV-238277" + "SV-238304" ], - "id": "controls/SV-238277.rb" + "id": "controls/SV-238304.rb" }, { "title": null, "controls": [ - "SV-238347" + "SV-238297" ], - "id": "controls/SV-238347.rb" + "id": "controls/SV-238297.rb" }, { "title": null, "controls": [ - "SV-238252" + "SV-238358" ], - "id": "controls/SV-238252.rb" + "id": "controls/SV-238358.rb" }, { "title": null, "controls": [ - "SV-238208" + "SV-238205" ], - "id": "controls/SV-238208.rb" + "id": "controls/SV-238205.rb" }, { "title": null, "controls": [ - "SV-238325" + "SV-238221" ], - "id": "controls/SV-238325.rb" + "id": "controls/SV-238221.rb" }, { "title": null, "controls": [ - "SV-238285" + "SV-238216" ], - "id": "controls/SV-238285.rb" + "id": "controls/SV-238216.rb" }, { "title": null, "controls": [ - "SV-238303" + "SV-238203" ], - "id": "controls/SV-238303.rb" + "id": "controls/SV-238203.rb" }, { "title": null, "controls": [ - "SV-238351" + "SV-238199" ], - "id": "controls/SV-238351.rb" + "id": "controls/SV-238199.rb" }, { "title": null, "controls": [ - "SV-238355" + "SV-238201" ], - "id": "controls/SV-238355.rb" + "id": "controls/SV-238201.rb" }, { "title": null, "controls": [ - "SV-238251" + "SV-238360" ], - "id": "controls/SV-238251.rb" + "id": "controls/SV-238360.rb" }, { "title": null, "controls": [ - "SV-238230" + "SV-238324" ], - "id": "controls/SV-238230.rb" + "id": "controls/SV-238324.rb" }, { "title": null, "controls": [ - "SV-251505" + "SV-238317" ], - "id": "controls/SV-251505.rb" + "id": "controls/SV-238317.rb" }, { "title": null, "controls": [ - "SV-238201" + "SV-238348" ], - "id": "controls/SV-238201.rb" + "id": "controls/SV-238348.rb" }, { "title": null, "controls": [ - "SV-238221" + "SV-238299" ], - "id": "controls/SV-238221.rb" + "id": "controls/SV-238299.rb" }, { "title": null, "controls": [ - "SV-238348" + "SV-251505" ], - "id": "controls/SV-238348.rb" + "id": "controls/SV-251505.rb" }, { "title": null, "controls": [ - "SV-238300" + "SV-238241" ], - "id": "controls/SV-238300.rb" + "id": "controls/SV-238241.rb" }, { "title": null, "controls": [ - "SV-238224" + "SV-238300" ], - "id": "controls/SV-238224.rb" + "id": "controls/SV-238300.rb" }, { "title": null, "controls": [ - "SV-238340" + "SV-238352" ], - "id": "controls/SV-238340.rb" + "id": "controls/SV-238352.rb" }, { "title": null, "controls": [ - "SV-238253" + "SV-238211" ], - "id": "controls/SV-238253.rb" + "id": "controls/SV-238211.rb" }, { "title": null, "controls": [ - "SV-238235" + "SV-238377" ], - "id": "controls/SV-238235.rb" + "id": "controls/SV-238377.rb" }, { "title": null, "controls": [ - "SV-238256" + "SV-238345" ], - "id": "controls/SV-238256.rb" + "id": "controls/SV-238345.rb" }, { "title": null, "controls": [ - "SV-238204" + "SV-238249" ], - "id": "controls/SV-238204.rb" + "id": "controls/SV-238249.rb" }, { "title": null, "controls": [ - "SV-238294" + "SV-238353" ], - "id": "controls/SV-238294.rb" + "id": "controls/SV-238353.rb" }, { "title": null, "controls": [ - "SV-238205" + "SV-238250" ], - "id": "controls/SV-238205.rb" + "id": "controls/SV-238250.rb" }, { "title": null, "controls": [ - "SV-238236" + "SV-238239" ], - "id": "controls/SV-238236.rb" + "id": "controls/SV-238239.rb" }, { "title": null, "controls": [ - "SV-238241" + "SV-238371" ], - "id": "controls/SV-238241.rb" + "id": "controls/SV-238371.rb" }, { "title": null, "controls": [ - "SV-238368" + "SV-238359" ], - "id": "controls/SV-238368.rb" + "id": "controls/SV-238359.rb" }, { "title": null, "controls": [ - "SV-238376" + "SV-238349" ], - "id": "controls/SV-238376.rb" + "id": "controls/SV-238349.rb" }, { "title": null, "controls": [ - "SV-238213" + "SV-238282" ], - "id": "controls/SV-238213.rb" + "id": "controls/SV-238282.rb" }, { "title": null, "controls": [ - "SV-238360" + "SV-238253" ], - "id": "controls/SV-238360.rb" + "id": "controls/SV-238253.rb" }, { "title": null, "controls": [ - "SV-238316" + "SV-238378" ], - "id": "controls/SV-238316.rb" + "id": "controls/SV-238378.rb" }, { "title": null, "controls": [ - "SV-238373" + "SV-238277" ], - "id": "controls/SV-238373.rb" + "id": "controls/SV-238277.rb" }, { "title": null, "controls": [ - "SV-238283" + "SV-238332" ], - "id": "controls/SV-238283.rb" + "id": "controls/SV-238332.rb" }, { "title": null, "controls": [ - "SV-238379" + "SV-251504" ], - "id": "controls/SV-238379.rb" + "id": "controls/SV-251504.rb" }, { "title": null, "controls": [ - "SV-238317" + "SV-238252" ], - "id": "controls/SV-238317.rb" + "id": "controls/SV-238252.rb" }, { "title": null, "controls": [ - "SV-238310" + "SV-238284" ], - "id": "controls/SV-238310.rb" + "id": "controls/SV-238284.rb" }, { "title": null, "controls": [ - "SV-238326" + "SV-238325" ], - "id": "controls/SV-238326.rb" + "id": "controls/SV-238325.rb" }, { "title": null, "controls": [ - "SV-238358" + "SV-238251" ], - "id": "controls/SV-238358.rb" + "id": "controls/SV-238251.rb" }, { "title": null, "controls": [ - "SV-238327" + "SV-238215" ], - "id": "controls/SV-238327.rb" + "id": "controls/SV-238215.rb" }, { "title": null, "controls": [ - "SV-238359" + "SV-238222" ], - "id": "controls/SV-238359.rb" + "id": "controls/SV-238222.rb" }, { "title": null, "controls": [ - "SV-238320" + "SV-238310" ], - "id": "controls/SV-238320.rb" + "id": "controls/SV-238310.rb" }, { "title": null, "controls": [ - "SV-238237" + "SV-238316" ], - "id": "controls/SV-238237.rb" + "id": "controls/SV-238316.rb" }, { "title": null, "controls": [ - "SV-238278" + "SV-238217" ], - "id": "controls/SV-238278.rb" + "id": "controls/SV-238217.rb" }, { "title": null, "controls": [ - "SV-238211" + "SV-238246" ], - "id": "controls/SV-238211.rb" + "id": "controls/SV-238246.rb" }, { "title": null, "controls": [ - "SV-238342" + "SV-238230" ], - "id": "controls/SV-238342.rb" + "id": "controls/SV-238230.rb" }, { "title": null, "controls": [ - "SV-238279" + "SV-238228" ], - "id": "controls/SV-238279.rb" + "id": "controls/SV-238228.rb" }, { "title": null, "controls": [ - "SV-238301" + "SV-238323" ], - "id": "controls/SV-238301.rb" + "id": "controls/SV-238323.rb" }, { "title": null, "controls": [ - "SV-238210" + "SV-238243" ], - "id": "controls/SV-238210.rb" + "id": "controls/SV-238243.rb" }, { "title": null, "controls": [ - "SV-238378" + "SV-238318" ], - "id": "controls/SV-238378.rb" + "id": "controls/SV-238318.rb" }, { "title": null, "controls": [ - "SV-238207" + "SV-238354" ], - "id": "controls/SV-238207.rb" + "id": "controls/SV-238354.rb" }, { "title": null, "controls": [ - "SV-238330" + "SV-238213" ], - "id": "controls/SV-238330.rb" + "id": "controls/SV-238213.rb" }, { "title": null, "controls": [ - "SV-238203" + "SV-238225" ], - "id": "controls/SV-238203.rb" + "id": "controls/SV-238225.rb" }, { "title": null, "controls": [ - "SV-238377" + "SV-238365" ], - "id": "controls/SV-238377.rb" + "id": "controls/SV-238365.rb" }, { "title": null, "controls": [ - "SV-238374" + "SV-238319" ], - "id": "controls/SV-238374.rb" + "id": "controls/SV-238319.rb" }, { "title": null, "controls": [ - "SV-238198" + "SV-238288" ], - "id": "controls/SV-238198.rb" + "id": "controls/SV-238288.rb" }, { "title": null, "controls": [ - "SV-238363" + "SV-238301" ], - "id": "controls/SV-238363.rb" + "id": "controls/SV-238301.rb" }, { "title": null, "controls": [ - "SV-238302" + "SV-238206" ], - "id": "controls/SV-238302.rb" + "id": "controls/SV-238206.rb" }, { "title": null, "controls": [ - "SV-238289" + "SV-238337" ], - "id": "controls/SV-238289.rb" + "id": "controls/SV-238337.rb" }, { "title": null, "controls": [ - "SV-238323" + "SV-238321" ], - "id": "controls/SV-238323.rb" + "id": "controls/SV-238321.rb" }, { "title": null, "controls": [ - "SV-238216" + "SV-238361" ], - "id": "controls/SV-238216.rb" + "id": "controls/SV-238361.rb" }, { "title": null, "controls": [ - "SV-238306" + "SV-238226" ], - "id": "controls/SV-238306.rb" + "id": "controls/SV-238226.rb" }, { "title": null, "controls": [ - "SV-238345" + "SV-238229" ], - "id": "controls/SV-238345.rb" + "id": "controls/SV-238229.rb" }, { "title": null, "controls": [ - "SV-238220" + "SV-238236" ], - "id": "controls/SV-238220.rb" + "id": "controls/SV-238236.rb" }, { "title": null, "controls": [ - "SV-238369" + "SV-238306" ], - "id": "controls/SV-238369.rb" + "id": "controls/SV-238306.rb" }, { "title": null, "controls": [ - "SV-238318" + "SV-238373" ], - "id": "controls/SV-238318.rb" + "id": "controls/SV-238373.rb" }, { "title": null, "controls": [ - "SV-238343" + "SV-238368" ], - "id": "controls/SV-238343.rb" + "id": "controls/SV-238368.rb" }, { "title": null, "controls": [ - "SV-238282" + "SV-238307" ], - "id": "controls/SV-238282.rb" + "id": "controls/SV-238307.rb" }, { "title": null, "controls": [ - "SV-238281" + "SV-238369" ], - "id": "controls/SV-238281.rb" + "id": "controls/SV-238369.rb" }, { "title": null, "controls": [ - "SV-238242" + "SV-238303" ], - "id": "controls/SV-238242.rb" + "id": "controls/SV-238303.rb" }, { "title": null, "controls": [ - "SV-238319" + "SV-238212" ], - "id": "controls/SV-238319.rb" + "id": "controls/SV-238212.rb" }, { "title": null, "controls": [ - "SV-238248" + "SV-238278" ], - "id": "controls/SV-238248.rb" + "id": "controls/SV-238278.rb" }, { "title": null, "controls": [ - "SV-238365" + "SV-238291" ], - "id": "controls/SV-238365.rb" + "id": "controls/SV-238291.rb" }, { "title": null, "controls": [ - "SV-238380" + "SV-238374" ], - "id": "controls/SV-238380.rb" + "id": "controls/SV-238374.rb" }, { "title": null, "controls": [ - "SV-238334" + "SV-238240" ], - "id": "controls/SV-238334.rb" + "id": "controls/SV-238240.rb" }, { "title": null, "controls": [ - "SV-238298" + "SV-251503" ], - "id": "controls/SV-238298.rb" + "id": "controls/SV-251503.rb" }, { "title": null, "controls": [ - "SV-238234" + "SV-238333" ], - "id": "controls/SV-238234.rb" + "id": "controls/SV-238333.rb" }, { "title": null, "controls": [ - "SV-238232" + "SV-238268" ], - "id": "controls/SV-238232.rb" + "id": "controls/SV-238268.rb" }, { "title": null, "controls": [ - "SV-238331" + "SV-238336" ], - "id": "controls/SV-238331.rb" + "id": "controls/SV-238336.rb" }, { "title": null, "controls": [ - "SV-238366" + "SV-238364" ], - "id": "controls/SV-238366.rb" + "id": "controls/SV-238364.rb" }, { "title": null, "controls": [ - "SV-238250" + "SV-238367" ], - "id": "controls/SV-238250.rb" + "id": "controls/SV-238367.rb" }, { "title": null, "controls": [ - "SV-238196" + "SV-238331" ], - "id": "controls/SV-238196.rb" + "id": "controls/SV-238331.rb" } ], "sha256": "41eb03c18752ff84382ec54c1ae02375e44ecc86b64c2c16e4e0ca20b341eca6",