From fcafaffe29b39ed3478954aef2278bea7ab0e0b1 Mon Sep 17 00:00:00 2001 From: Emily Rodriguez Date: Fri, 2 Dec 2022 11:22:25 -0600 Subject: [PATCH 1/3] testing delta formatting Signed-off-by: Emily Rodriguez --- controls/SV-238196.rb | 46 +++++++++++++++++-------- controls/SV-238197.rb | 78 +++++++++++++++++++++++++++++++++-------- controls/SV-238198.rb | 79 +++++++++++++++++++++++++++++++++--------- controls/SV-238199.rb | 44 +++++++++++++++--------- controls/SV-238200.rb | 42 ++++++++++++++--------- controls/SV-238201.rb | 34 ++++++++++-------- controls/SV-238202.rb | 35 +++++++++++-------- controls/SV-238203.rb | 35 +++++++++++-------- controls/SV-238204.rb | 50 +++++++++++++++++++-------- controls/SV-238205.rb | 52 ++++++++++++++++++---------- controls/SV-238206.rb | 52 ++++++++++++++++++++-------- controls/SV-238207.rb | 51 +++++++++++++++++++-------- controls/SV-238208.rb | 38 +++++++++++--------- controls/SV-238209.rb | 33 ++++++++++-------- controls/SV-238210.rb | 56 +++++++++++++++++++++--------- controls/SV-238211.rb | 40 ++++++++++++++-------- controls/SV-238212.rb | 51 +++++++++++++++++++-------- controls/SV-238213.rb | 43 +++++++++++++++-------- controls/SV-238214.rb | 80 ++++++++++++++++++++++++++++++++++--------- controls/SV-238215.rb | 48 +++++++++++++++++--------- controls/SV-238216.rb | 53 +++++++++++++++++++--------- controls/SV-238217.rb | 59 ++++++++++++++++++++++--------- controls/SV-238218.rb | 35 ++++++++++--------- controls/SV-238219.rb | 45 ++++++++++++++++-------- controls/SV-238220.rb | 36 +++++++++++-------- controls/SV-238221.rb | 39 +++++++++++++-------- controls/SV-238222.rb | 39 +++++++++++++-------- controls/SV-238223.rb | 39 +++++++++++++-------- controls/SV-238224.rb | 43 +++++++++++++++-------- controls/SV-238225.rb | 41 +++++++++++++--------- controls/SV-238226.rb | 42 +++++++++++++++-------- controls/SV-238227.rb | 36 ++++++++++--------- controls/SV-238228.rb | 36 +++++++++++-------- controls/SV-238229.rb | 51 +++++++++++++++++++-------- controls/SV-238230.rb | 53 ++++++++++++++++++++-------- controls/SV-238231.rb | 40 +++++++++++++--------- controls/SV-238232.rb | 38 ++++++++++++-------- controls/SV-238233.rb | 33 ++++++++++-------- controls/SV-238234.rb | 42 +++++++++++++---------- controls/SV-238235.rb | 38 ++++++++++---------- controls/SV-238236.rb | 47 +++++++++++++++++-------- controls/SV-238237.rb | 33 ++++++++++-------- controls/SV-238238.rb | 41 +++++++++++++--------- controls/SV-238239.rb | 41 +++++++++++++--------- controls/SV-238240.rb | 41 +++++++++++++--------- controls/SV-238241.rb | 41 +++++++++++++--------- controls/SV-238242.rb | 41 +++++++++++++--------- controls/SV-238243.rb | 44 ++++++++++++++++-------- controls/SV-238244.rb | 51 +++++++++++++++++++-------- controls/SV-238245.rb | 39 ++++++++++++--------- controls/SV-238246.rb | 39 ++++++++++++--------- controls/SV-238247.rb | 39 ++++++++++++--------- controls/SV-238248.rb | 42 +++++++++++++++-------- controls/SV-238249.rb | 38 ++++++++++++-------- controls/SV-238250.rb | 38 ++++++++++++-------- controls/SV-238251.rb | 38 ++++++++++++-------- controls/SV-238252.rb | 38 ++++++++++++-------- controls/SV-238253.rb | 38 ++++++++++++-------- controls/SV-238254.rb | 38 ++++++++++++-------- controls/SV-238255.rb | 38 ++++++++++++-------- controls/SV-238256.rb | 38 ++++++++++++-------- controls/SV-238257.rb | 38 ++++++++++++-------- controls/SV-238258.rb | 46 ++++++++++++++++--------- controls/SV-238264.rb | 46 ++++++++++++++++--------- controls/SV-238268.rb | 46 ++++++++++++++++--------- controls/SV-238271.rb | 46 ++++++++++++++++--------- controls/SV-238277.rb | 38 ++++++++++++-------- controls/SV-238278.rb | 38 ++++++++++++-------- controls/SV-238279.rb | 38 ++++++++++++-------- controls/SV-238280.rb | 38 ++++++++++++-------- controls/SV-238281.rb | 38 ++++++++++++-------- controls/SV-238282.rb | 38 ++++++++++++-------- controls/SV-238283.rb | 38 ++++++++++++-------- controls/SV-238284.rb | 38 ++++++++++++-------- controls/SV-238285.rb | 40 +++++++++++++--------- controls/SV-238286.rb | 40 +++++++++++++--------- controls/SV-238287.rb | 40 +++++++++++++--------- controls/SV-238288.rb | 38 ++++++++++++-------- controls/SV-238289.rb | 38 ++++++++++++-------- controls/SV-238290.rb | 38 ++++++++++++-------- controls/SV-238291.rb | 38 ++++++++++++-------- controls/SV-238292.rb | 38 ++++++++++++-------- controls/SV-238293.rb | 38 ++++++++++++-------- controls/SV-238294.rb | 38 ++++++++++++-------- controls/SV-238295.rb | 46 ++++++++++++++++--------- controls/SV-238297.rb | 40 +++++++++++++--------- controls/SV-238298.rb | 59 ++++++++++++++++++++++--------- controls/SV-238299.rb | 36 ++++++++++--------- controls/SV-238300.rb | 48 ++++++++++++++++---------- controls/SV-238301.rb | 48 ++++++++++++++++---------- controls/SV-238302.rb | 48 ++++++++++++++++---------- controls/SV-238303.rb | 49 ++++++++++++++++++-------- controls/SV-238304.rb | 42 ++++++++++++++--------- controls/SV-238305.rb | 37 ++++++++++++-------- controls/SV-238306.rb | 38 +++++++++++--------- controls/SV-238307.rb | 33 ++++++++++-------- controls/SV-238308.rb | 37 ++++++++++++-------- controls/SV-238309.rb | 53 +++++++++++++++++++--------- controls/SV-238310.rb | 44 ++++++++++++++++-------- controls/SV-238315.rb | 40 +++++++++++++--------- controls/SV-238316.rb | 40 +++++++++++++--------- controls/SV-238317.rb | 40 +++++++++++++--------- controls/SV-238318.rb | 38 ++++++++++++-------- controls/SV-238319.rb | 38 ++++++++++++-------- controls/SV-238320.rb | 38 ++++++++++++-------- controls/SV-238321.rb | 36 +++++++++++-------- controls/SV-238323.rb | 40 ++++++++++++++-------- controls/SV-238324.rb | 47 ++++++++++++++++--------- controls/SV-238325.rb | 34 ++++++++++-------- controls/SV-238326.rb | 36 ++++++++++--------- controls/SV-238327.rb | 47 ++++++++++++++++--------- controls/SV-238328.rb | 48 ++++++++++++++++++-------- controls/SV-238329.rb | 57 +++++++++++++++++++++--------- controls/SV-238330.rb | 38 ++++++++++++-------- controls/SV-238331.rb | 40 ++++++++++++++-------- controls/SV-238332.rb | 47 +++++++++++++++++-------- controls/SV-238333.rb | 41 +++++++++++++--------- controls/SV-238334.rb | 34 ++++++++++-------- controls/SV-238335.rb | 40 ++++++++++++++-------- controls/SV-238336.rb | 38 ++++++++++++-------- controls/SV-238337.rb | 43 +++++++++++++++-------- controls/SV-238338.rb | 41 ++++++++++++++-------- controls/SV-238339.rb | 43 ++++++++++++++--------- controls/SV-238340.rb | 41 ++++++++++++++-------- controls/SV-238341.rb | 41 ++++++++++++++-------- controls/SV-238342.rb | 43 ++++++++++++++--------- controls/SV-238343.rb | 41 ++++++++++++++-------- controls/SV-238344.rb | 44 ++++++++++++++++-------- controls/SV-238345.rb | 44 ++++++++++++++++-------- controls/SV-238346.rb | 45 ++++++++++++++++-------- controls/SV-238347.rb | 43 ++++++++++++++--------- controls/SV-238348.rb | 43 ++++++++++++++--------- controls/SV-238349.rb | 43 ++++++++++++++--------- controls/SV-238350.rb | 43 ++++++++++++++--------- controls/SV-238351.rb | 43 ++++++++++++++--------- controls/SV-238352.rb | 43 ++++++++++++++--------- controls/SV-238353.rb | 41 +++++++++++++--------- controls/SV-238354.rb | 46 +++++++++++++++++-------- controls/SV-238355.rb | 48 +++++++++++++++++--------- controls/SV-238356.rb | 43 +++++++++++++++-------- controls/SV-238357.rb | 46 +++++++++++++++++-------- controls/SV-238358.rb | 40 ++++++++++++++-------- controls/SV-238359.rb | 46 +++++++++++++++++-------- controls/SV-238360.rb | 51 +++++++++++++++++---------- controls/SV-238361.rb | 39 +++++++++++++-------- controls/SV-238362.rb | 33 ++++++++++-------- controls/SV-238363.rb | 39 +++++++++++---------- controls/SV-238364.rb | 40 ++++++++++++++-------- controls/SV-238365.rb | 40 ++++++++++++++-------- controls/SV-238366.rb | 40 ++++++++++++++-------- controls/SV-238367.rb | 42 +++++++++++++++-------- controls/SV-238368.rb | 39 +++++++++++++-------- controls/SV-238369.rb | 39 +++++++++++++-------- controls/SV-238370.rb | 35 +++++++++++-------- controls/SV-238371.rb | 42 +++++++++++++++-------- controls/SV-238372.rb | 41 ++++++++++++++-------- controls/SV-238373.rb | 38 ++++++++++++-------- controls/SV-238374.rb | 36 ++++++++++--------- controls/SV-238376.rb | 43 ++++++++++++++--------- controls/SV-238377.rb | 43 ++++++++++++++--------- controls/SV-238378.rb | 41 ++++++++++++++-------- controls/SV-238379.rb | 37 ++++++++++++-------- controls/SV-238380.rb | 37 +++++++++++--------- controls/SV-251503.rb | 36 ++++++++++--------- controls/SV-251504.rb | 36 ++++++++++--------- controls/SV-251505.rb | 36 +++++++++++-------- controls/SV-252704.rb | 55 ++++++++++++++++++++--------- 167 files changed, 4428 insertions(+), 2619 deletions(-) diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index 65e98ae..f9201f1 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -1,4 +1,4 @@ -control 'SV-238196' do +control "SV-238196" do title "The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less. " desc "If temporary user accounts remain active when no longer needed or for an excessive period, @@ -15,8 +15,23 @@ To address access requirements, many operating systems may be integrated with enterprise-level -authentication/access mechanisms that meet or exceed access control policy requirements. " - desc 'check', "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or +authentication/access mechanisms that meet or exceed access control policy requirements." + desc "default", "If temporary user accounts remain active when no longer needed or for an excessive period, +these accounts may be used to gain unauthorized access. To mitigate this risk, automated +termination of all temporary accounts must be set upon account creation. + +Temporary +accounts are established as part of normal account activation procedures when there is a need +for short-term accounts without the demand for immediacy in account activation. + +If +temporary accounts are used, the operating system must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address +access requirements, many operating systems may be integrated with enterprise-level +authentication/access mechanisms that meet or exceed access control policy requirements." + desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or less. For every existing temporary account, run the following command to obtain its @@ -32,24 +47,24 @@ accounts has an expiration date set within 72 hours of account creation. If any temporary -account does not expire within 72 hours of that account's creation, this is a finding. " - desc 'fix', "If a temporary account must be created, configure the system to terminate the account after a +account does not expire within 72 hours of that account's creation, this is a finding." + desc "fix", "If a temporary account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. Substitute \"system_account_name\" with the account to be created. $ sudo chage -E $(date -d \"+3 days\" -+%F) system_account_name " ++%F) system_account_name" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000002-GPOS-00002 ' - tag gid: 'V-238196 ' - tag rid: 'SV-238196r653763_rule ' - tag stig_id: 'UBTU-20-010000 ' - tag fix_id: 'F-41365r653762_fix ' - tag cci: ['CCI-000016'] - tag nist: ['AC-2 (2)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000002-GPOS-00002 " + tag gid: "V-238196 " + tag rid: "SV-238196r653763_rule " + tag stig_id: "UBTU-20-010000 " + tag fix_id: "F-41365r653762_fix " + tag cci: ["CCI-000016"] + tag nist: ["AC-2 (2)"] temporary_accounts = input('temporary_accounts') @@ -65,4 +80,5 @@ end end end -end + +end \ No newline at end of file diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb index fbd6302..7d6d334 100644 --- a/controls/SV-238197.rb +++ b/controls/SV-238197.rb @@ -1,4 +1,4 @@ -control 'SV-238197' do +control "SV-238197" do title "The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. " @@ -48,8 +48,55 @@ characters that can be displayed in the banner: \"I've read & consent to terms in IS user -agreem't.\" " - desc 'check', "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD +agreem't.\"" + desc "default", "Display of a standardized and approved use notification before granting access to the Ubuntu +operating system ensures privacy and security notification verbiage used is consistent +with applicable federal laws, Executive Orders, directives, policies, regulations, +standards, and guidance. + +System use notifications are required only for access via logon +interfaces with human users and are not required when such human interfaces do not exist. + + +The banner must be formatted in accordance with applicable DoD policy. Use the following +verbiage for operating systems that can accommodate banners of 1300 characters: + +\"You are +accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user +agreem't.\"" + desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. @@ -65,8 +112,8 @@ banner-message-enable=true If the line is -commented out or set to \"false\", this is a finding. " - desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. +commented out or set to \"false\", this is a finding." + desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. Look for the \"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and @@ -84,16 +131,16 @@ $ sudo dconf update -$ sudo systemctl restart gdm3 " +$ sudo systemctl restart gdm3" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000023-GPOS-00006 ' - tag gid: 'V-238197 ' - tag rid: 'SV-238197r653766_rule ' - tag stig_id: 'UBTU-20-010002 ' - tag fix_id: 'F-41366r653765_fix ' - tag cci: ['CCI-000048'] - tag nist: ['AC-8 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000023-GPOS-00006 " + tag gid: "V-238197 " + tag rid: "SV-238197r653766_rule " + tag stig_id: "UBTU-20-010002 " + tag fix_id: "F-41366r653765_fix " + tag cci: ["CCI-000048"] + tag nist: ["AC-8 a"] xorg_status = command('which Xorg').exit_status if xorg_status == 0 @@ -106,4 +153,5 @@ skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) end end -end + +end \ No newline at end of file diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index 8e982a8..311b4d4 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -1,4 +1,4 @@ -control 'SV-238198' do +control "SV-238198" do title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. " desc "Display of a standardized and approved use notification before granting access to the Ubuntu @@ -47,8 +47,55 @@ characters that can be displayed in the banner: \"I've read & consent to terms in IS user -agreem't.\" " - desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +agreem't.\"" + desc "default", "Display of a standardized and approved use notification before granting access to the Ubuntu +operating system ensures privacy and security notification verbiage used is consistent +with applicable federal laws, Executive Orders, directives, policies, regulations, +standards, and guidance. + +System use notifications are required only for access via logon +interfaces with human users and are not required when such human interfaces do not exist. + + +The banner must be formatted in accordance with applicable DoD policy. Use the following +verbiage for operating systems that can accommodate banners of 1300 characters: + +\"You are +accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user +agreem't.\"" + desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Note: If @@ -80,8 +127,8 @@ If the banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD -Notice and Consent Banner exactly, this is a finding. " - desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. +Notice and Consent Banner exactly, this is a finding." + desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. Set the \"banner-message-text\" line to contain the appropriate banner message text as shown below: @@ -108,16 +155,15 @@ $ sudo dconf update $ sudo -systemctl restart gdm3 " - impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000023-GPOS-00006 ' - tag gid: 'V-238198 ' - tag rid: 'SV-238198r653769_rule ' - tag stig_id: 'UBTU-20-010003 ' - tag fix_id: 'F-41367r653768_fix ' - tag cci: ['CCI-000048'] - tag nist: ['AC-8 a'] +systemctl restart gdm3" + tag severity: "medium " + tag gtitle: "SRG-OS-000023-GPOS-00006 " + tag gid: "V-238198 " + tag rid: "SV-238198r653769_rule " + tag stig_id: "UBTU-20-010003 " + tag fix_id: "F-41367r653768_fix " + tag cci: ["CCI-000048"] + tag nist: ["AC-8 a"] banner_text = input('banner_text') clean_banner = banner_text.gsub(/[\r\n\s]/, '') @@ -134,4 +180,5 @@ skip 'Package gdm3 not installed, this control Not Applicable' end end -end + +end \ No newline at end of file diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb index 3d6875a..d501597 100644 --- a/controls/SV-238199.rb +++ b/controls/SV-238199.rb @@ -1,4 +1,4 @@ -control 'SV-238199' do +control "SV-238199" do title "The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures. " desc "A session lock is a temporary action taken when a user stops work and moves away from the @@ -11,10 +11,19 @@ Regardless of where the session lock is determined and implemented, once invoked, a session lock of the Ubuntu operating system must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock -the system. +the system." + desc "default", "A session lock is a temporary action taken when a user stops work and moves away from the +immediate physical vicinity of the information system but does not want to log out because of +the temporary nature of the absence. - " - desc 'check', "Verify the Ubuntu operation system has a graphical user interface session lock enabled. +The session lock is implemented at the point where +session activity can be determined. + +Regardless of where the session lock is determined and +implemented, once invoked, a session lock of the Ubuntu operating system must remain in place +until the user reauthenticates. No other activity aside from reauthentication must unlock +the system." + desc "check", "Verify the Ubuntu operation system has a graphical user interface session lock enabled. Note: If the Ubuntu operating system does not have a graphical user interface installed, @@ -29,8 +38,8 @@ true If \"lock-enabled\" is -not set to \"true\", this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to allow a user to lock the current graphical user +not set to \"true\", this is a finding." + desc "fix", "Configure the Ubuntu operating system to allow a user to lock the current graphical user interface session. Note: If the Ubuntu operating system does not have a graphical user @@ -40,17 +49,17 @@ to allow graphical user interface session locks with the following command: $ sudo -gsettings set org.gnome.desktop.screensaver lock-enabled true " +gsettings set org.gnome.desktop.screensaver lock-enabled true" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000028-GPOS-00009 ' - tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010) - tag gid: 'V-238199 ' - tag rid: 'SV-238199r653772_rule ' - tag stig_id: 'UBTU-20-010004 ' - tag fix_id: 'F-41368r653771_fix ' - tag cci: %w(CCI-000056 CCI-000057) - tag nist: ['AC-11 b', 'AC-11 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000028-GPOS-00009 " + tag satisfies: ["SRG-OS-000028-GPOS-00009", "SRG-OS-000029-GPOS-00010"] + tag gid: "V-238199 " + tag rid: "SV-238199r653772_rule " + tag stig_id: "UBTU-20-010004 " + tag fix_id: "F-41368r653771_fix " + tag cci: ["CCI-000056", "CCI-000057"] + tag nist: ["AC-11 b", "AC-11 a"] xorg_status = command('which Xorg').exit_status if xorg_status == 0 @@ -62,4 +71,5 @@ skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) end end -end + +end \ No newline at end of file diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb index 4957365..19963f7 100644 --- a/controls/SV-238200.rb +++ b/controls/SV-238200.rb @@ -1,4 +1,4 @@ -control 'SV-238200' do +control "SV-238200" do title "The Ubuntu operating system must allow users to directly initiate a session lock for all connection types. " desc "A session lock is a temporary action taken when a user stops work and moves away from the @@ -9,31 +9,39 @@ session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, the Ubuntu operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session if they need to -temporarily vacate the immediate physical vicinity. +temporarily vacate the immediate physical vicinity." + desc "default", "A session lock is a temporary action taken when a user stops work and moves away from the +immediate physical vicinity of the information system but does not want to log out because of +the temporary nature of the absence. - " - desc 'check', "Verify the Ubuntu operating system has the \"vlock\" package installed by running the +The session lock is implemented at the point where +session activity can be determined. Rather than be forced to wait for a period of time to expire +before the user session can be locked, the Ubuntu operating systems need to provide users with +the ability to manually invoke a session lock so users may secure their session if they need to +temporarily vacate the immediate physical vicinity." + desc "check", "Verify the Ubuntu operating system has the \"vlock\" package installed by running the following command: $ dpkg -l | grep vlock -If \"vlock\" is not installed, this is a finding. " - desc 'fix', "Install the \"vlock\" package (if it is not already installed) by running the following +If \"vlock\" is not installed, this is a finding." + desc "fix", "Install the \"vlock\" package (if it is not already installed) by running the following command: -$ sudo apt-get install vlock " +$ sudo apt-get install vlock" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000030-GPOS-00011 ' - tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012) - tag gid: 'V-238200 ' - tag rid: 'SV-238200r653775_rule ' - tag stig_id: 'UBTU-20-010005 ' - tag fix_id: 'F-41369r653774_fix ' - tag cci: %w(CCI-000058 CCI-000060) - tag nist: ['AC-11 a', 'AC-11 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000030-GPOS-00011 " + tag satisfies: ["SRG-OS-000030-GPOS-00011", "SRG-OS-000031-GPOS-00012"] + tag gid: "V-238200 " + tag rid: "SV-238200r653775_rule " + tag stig_id: "UBTU-20-010005 " + tag fix_id: "F-41369r653774_fix " + tag cci: ["CCI-000058", "CCI-000060"] + tag nist: ["AC-11 a", "AC-11 (1)"] describe package('vlock') do it { should be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index cd90abd..31d3373 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -1,34 +1,37 @@ -control 'SV-238201' do +control "SV-238201" do title "The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. " desc "Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic -analysis. " - desc 'check', "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file: +analysis." + desc "default", "Without mapping the certificate used to authenticate to the user account, the ability to +determine the identity of the individual user or group will not be available for forensic +analysis." + desc "check", "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file: $ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf use_mappers = pwent If -\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding. " - desc 'fix', "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a +\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding." + desc "fix", "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper. If the system is missing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify accordingly at -\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " +\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000068-GPOS-00036 ' - tag gid: 'V-238201 ' - tag rid: 'SV-238201r832933_rule ' - tag stig_id: 'UBTU-20-010006 ' - tag fix_id: 'F-41370r653777_fix ' - tag cci: ['CCI-000187'] - tag nist: ['IA-5 (2) (a) (2)'] + tag severity: "high " + tag gtitle: "SRG-OS-000068-GPOS-00036 " + tag gid: "V-238201 " + tag rid: "SV-238201r832933_rule " + tag stig_id: "UBTU-20-010006 " + tag fix_id: "F-41370r653777_fix " + tag cci: ["CCI-000187"] + tag nist: ["IA-5 (2) (a) (2)"] config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' config_file_exists = file(config_file).exist? @@ -43,4 +46,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb index 502d9c9..c445142 100644 --- a/controls/SV-238202.rb +++ b/controls/SV-238202.rb @@ -1,11 +1,15 @@ -control 'SV-238202' do +control "SV-238202" do title "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. " desc "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a -short period of time to defeat the organization's policy regarding password reuse. " - desc 'check', "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for +short period of time to defeat the organization's policy regarding password reuse." + desc "default", "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat +the password reuse or history enforcement requirement. If users are allowed to immediately +and continually change their password, then the password could be repeatedly changed in a +short period of time to defeat the organization's policy regarding password reuse." + desc "check", "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for new user accounts by running the following command: $ grep -i ^pass_min_days @@ -14,24 +18,25 @@ PASS_MIN_DAYS 1 If the \"PASS_MIN_DAYS\" parameter value is less than -\"1\" or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. +\"1\" or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. Add or modify the following line in the \"/etc/login.defs\" file: -PASS_MIN_DAYS 1 " +PASS_MIN_DAYS 1" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000075-GPOS-00043 ' - tag gid: 'V-238202 ' - tag rid: 'SV-238202r653781_rule ' - tag stig_id: 'UBTU-20-010007 ' - tag fix_id: 'F-41371r653780_fix ' - tag cci: ['CCI-000198'] - tag nist: ['IA-5 (1) (d)'] + tag severity: "low " + tag gtitle: "SRG-OS-000075-GPOS-00043 " + tag gid: "V-238202 " + tag rid: "SV-238202r653781_rule " + tag stig_id: "UBTU-20-010007 " + tag fix_id: "F-41371r653780_fix " + tag cci: ["CCI-000198"] + tag nist: ["IA-5 (1) (d)"] describe login_defs do its('PASS_MIN_DAYS') { should >= '1' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238203.rb b/controls/SV-238203.rb index f19f5cc..77edb8f 100644 --- a/controls/SV-238203.rb +++ b/controls/SV-238203.rb @@ -1,11 +1,15 @@ -control 'SV-238203' do +control "SV-238203" do title "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction. " desc "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords -could be compromised. " - desc 'check', "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user +could be compromised." + desc "default", "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to +be changed periodically. If the operating system does not limit the lifetime of passwords and +force users to change their passwords, there is the risk that the operating system passwords +could be compromised." + desc "check", "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ grep -i ^pass_max_days /etc/login.defs @@ -13,24 +17,25 @@ PASS_MAX_DAYS 60 If the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented -out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. +out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. Add or modify the following line in the \"/etc/login.defs\" file: -PASS_MAX_DAYS 60 " +PASS_MAX_DAYS 60" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000076-GPOS-00044 ' - tag gid: 'V-238203 ' - tag rid: 'SV-238203r653784_rule ' - tag stig_id: 'UBTU-20-010008 ' - tag fix_id: 'F-41372r653783_fix ' - tag cci: ['CCI-000199'] - tag nist: ['IA-5 (1) (d)'] + tag severity: "low " + tag gtitle: "SRG-OS-000076-GPOS-00044 " + tag gid: "V-238203 " + tag rid: "SV-238203r653784_rule " + tag stig_id: "UBTU-20-010008 " + tag fix_id: "F-41372r653783_fix " + tag cci: ["CCI-000199"] + tag nist: ["IA-5 (1) (d)"] describe login_defs do its('PASS_MAX_DAYS') { should cmp <= 60 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb index bd570f4..639073e 100644 --- a/controls/SV-238204.rb +++ b/controls/SV-238204.rb @@ -1,4 +1,4 @@ -control 'SV-238204' do +control "SV-238204" do title "Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes. " desc "To mitigate the risk of unauthorized access to sensitive information by entities that have @@ -19,8 +19,27 @@ access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the -information system. " - desc 'check', "Run the following command to verify the encrypted password is set: +information system." + desc "default", "To mitigate the risk of unauthorized access to sensitive information by entities that have +been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web +portals) must be properly configured to incorporate access control methods that do not rely +solely on the possession of a certificate for access. + +Successful authentication must not +automatically give an entity access to an asset or security boundary. Authorization +procedures and controls must be implemented to ensure each authenticated entity also has a +validated and current authorization. Authorization is the process of determining whether +an entity, once authenticated, is permitted to access a specific asset. Information systems +use access control policies and enforcement mechanisms to implement this requirement. + + +Access control policies include identity-based policies, role-based policies, and +attribute-based policies. Access enforcement mechanisms include access control lists, +access control matrices, and cryptography. These policies and mechanisms must be employed +by the application to control access between users (or processes acting on behalf of users) +and objects (e.g., devices, files, records, processes, programs, and domains) in the +information system." + desc "check", "Run the following command to verify the encrypted password is set: $ sudo grep -i password /boot/grub/grub.cfg @@ -29,8 +48,8 @@ grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG If the root password -entry does not begin with \"password_pbkdf2\", this is a finding. " - desc 'fix', "Configure the system to require a password for authentication upon booting into single-user +entry does not begin with \"password_pbkdf2\", this is a finding." + desc "fix", "Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following @@ -56,18 +75,19 @@ updated \"grub.conf\" file with the new password by using the following command: $ sudo -update-grub " +update-grub" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000080-GPOS-00048 ' - tag gid: 'V-238204 ' - tag rid: 'SV-238204r832936_rule ' - tag stig_id: 'UBTU-20-010009 ' - tag fix_id: 'F-41373r832935_fix ' - tag cci: ['CCI-000213'] - tag nist: ['AC-3'] + tag severity: "high " + tag gtitle: "SRG-OS-000080-GPOS-00048 " + tag gid: "V-238204 " + tag rid: "SV-238204r832936_rule " + tag stig_id: "UBTU-20-010009 " + tag fix_id: "F-41373r832935_fix " + tag cci: ["CCI-000213"] + tag nist: ["AC-3"] describe grub_conf('/boot/grub/grub.cfg') do its('password') { should match '^password_pbkdf2' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238205.rb b/controls/SV-238205.rb index 5d835c7..5338ddd 100644 --- a/controls/SV-238205.rb +++ b/controls/SV-238205.rb @@ -1,5 +1,5 @@ -control 'SV-238205' do - title 'The Ubuntu operating system must uniquely identify interactive users. ' +control "SV-238205" do + title "The Ubuntu operating system must uniquely identify interactive users. " desc "To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -16,28 +16,43 @@ 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., -shared privilege accounts) or for detailed accountability of individual activity. +shared privilege accounts) or for detailed accountability of individual activity." + desc "default", "To assure accountability and prevent unauthenticated access, organizational users must be +identified and authenticated to prevent potential misuse and compromise of the system. + + +Organizational users include organizational employees or individuals the organization +deems to have equivalent status of employees (e.g., contractors). Organizational users +(and processes acting on behalf of users) must be uniquely identified and authenticated to +all accesses, except for the following: - " - desc 'check', "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive +1) Accesses explicitly identified and documented +by the organization. Organizations document specific user actions that can be performed on +the information system without identification or authentication; and + +2) Accesses that +occur through authorized use of group authenticators without individual authentication. +Organizations may require unique identification of individuals in group accounts (e.g., +shared privilege accounts) or for detailed accountability of individual activity." + desc "check", "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: $ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd If -output is produced and the accounts listed are interactive user accounts, this is a finding. " - desc 'fix', "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate -UID with a unique UID. " +output is produced and the accounts listed are interactive user accounts, this is a finding." + desc "fix", "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate +UID with a unique UID." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000104-GPOS-00051 ' - tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062) - tag gid: 'V-238205 ' - tag rid: 'SV-238205r653790_rule ' - tag stig_id: 'UBTU-20-010010 ' - tag fix_id: 'F-41374r653789_fix ' - tag cci: %w(CCI-000764 CCI-000804) - tag nist: %w(IA-2 IA-8) + tag severity: "medium " + tag gtitle: "SRG-OS-000104-GPOS-00051 " + tag satisfies: ["SRG-OS-000104-GPOS-00051", "SRG-OS-000121-GPOS-00062"] + tag gid: "V-238205 " + tag rid: "SV-238205r653790_rule " + tag stig_id: "UBTU-20-010010 " + tag fix_id: "F-41374r653789_fix " + tag cci: ["CCI-000764", "CCI-000804"] + tag nist: ["IA-2", "IA-8"] user_list = command("awk -F \":\" 'list[$3]++{print $1}' /etc/passwd").stdout.split("\n") findings = Set[] @@ -49,4 +64,5 @@ subject { findings.to_a } it { should be_empty } end -end + +end \ No newline at end of file diff --git a/controls/SV-238206.rb b/controls/SV-238206.rb index 366cf01..c7f632e 100644 --- a/controls/SV-238206.rb +++ b/controls/SV-238206.rb @@ -1,4 +1,4 @@ -control 'SV-238206' do +control "SV-238206" do title "The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group. " desc "An isolation boundary provides access control and protects the integrity of the hardware, @@ -21,8 +21,29 @@ The Ubuntu operating system restricts access to security functions through the use of access control mechanisms -and by implementing least privilege capabilities. " - desc 'check', "Verify the sudo group has only members who should have access to security functions. +and by implementing least privilege capabilities." + desc "default", "An isolation boundary provides access control and protects the integrity of the hardware, +software, and firmware that perform security functions. + +Security functions are the +hardware, software, and/or firmware of the information system responsible for enforcing +the system security policy and supporting the isolation of code and data on which the +protection is based. Operating systems implement code separation (i.e., separation of +security functions from nonsecurity functions) in a number of ways, including through the +provision of security kernels via processor rings or processor modes. For non-kernel code, +security function isolation is often achieved through file system protections that serve to +protect the code on disk and address space protections that protect executing code. + + +Developers and implementers can increase the assurance in security functions by employing +well-defined security policy models; structured, disciplined, and rigorous hardware and +software development techniques; and sound system/security engineering principles. +Implementation may include isolation of memory space and libraries. + +The Ubuntu operating +system restricts access to security functions through the use of access control mechanisms +and by implementing least privilege capabilities." + desc "check", "Verify the sudo group has only members who should have access to security functions. $ grep sudo /etc/group @@ -30,22 +51,22 @@ sudo:x:27:foo If the sudo group contains users not needing access to -security functions, this is a finding. " - desc 'fix', "Configure the sudo group with only members requiring access to security functions. +security functions, this is a finding." + desc "fix", "Configure the sudo group with only members requiring access to security functions. To remove a user from the sudo group, run: -$ sudo gpasswd -d <username> sudo " +$ sudo gpasswd -d <username> sudo" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000134-GPOS-00068 ' - tag gid: 'V-238206 ' - tag rid: 'SV-238206r653793_rule ' - tag stig_id: 'UBTU-20-010012 ' - tag fix_id: 'F-41375r653792_fix ' - tag cci: ['CCI-001084'] - tag nist: ['SC-3'] + tag severity: "high " + tag gtitle: "SRG-OS-000134-GPOS-00068 " + tag gid: "V-238206 " + tag rid: "SV-238206r653793_rule " + tag stig_id: "UBTU-20-010012 " + tag fix_id: "F-41375r653792_fix " + tag cci: ["CCI-001084"] + tag nist: ["SC-3"] sudo_accounts = input('sudo_accounts') @@ -65,4 +86,5 @@ end end end -end + +end \ No newline at end of file diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb index abd64d7..dcc6037 100644 --- a/controls/SV-238207.rb +++ b/controls/SV-238207.rb @@ -1,4 +1,4 @@ -control 'SV-238207' do +control "SV-238207" do title "The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired. " desc "Automatic session termination addresses the termination of user-initiated logical @@ -20,8 +20,28 @@ This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires -additional assurance. " - desc 'check', "Verify the operating system automatically terminates a user session after inactivity +additional assurance." + desc "default", "Automatic session termination addresses the termination of user-initiated logical +sessions in contrast to the termination of network connections that are associated with +communications sessions (i.e., network disconnect). A logical session (for local, +network, and remote access) is initiated whenever a user (or process acting on behalf of a +user) accesses an organizational information system. Such user sessions can be terminated +(and thus terminate user access) without terminating network sessions. + +Session +termination terminates all processes associated with a user's logical session except those +processes that are specifically created by the user (i.e., session owner) to continue after +the session is terminated. + +Conditions or trigger events requiring automatic session +termination can include, for example, organization-defined periods of user inactivity, +targeted responses to certain types of incidents, and time-of-day restrictions on +information system use. + +This capability is typically reserved for specific operating +system functionality where the system owner, data owner, or organization requires +additional assurance." + desc "check", "Verify the operating system automatically terminates a user session after inactivity timeouts have expired. Check that \"TMOUT\" environment variable is set in the @@ -34,8 +54,8 @@ TMOUT=600 If \"TMOUT\" is not set, or if the value is \"0\" or is commented -out, this is a finding. " - desc 'fix', "Configure the operating system to automatically terminate a user session after inactivity +out, this is a finding." + desc "fix", "Configure the operating system to automatically terminate a user session after inactivity timeouts have expired or at shutdown. Create the file @@ -53,16 +73,16 @@ current sessions, execute the following command over the terminal session: $ export -TMOUT=600 " +TMOUT=600" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000279-GPOS-00109 ' - tag gid: 'V-238207 ' - tag rid: 'SV-238207r853404_rule ' - tag stig_id: 'UBTU-20-010013 ' - tag fix_id: 'F-41376r653795_fix ' - tag cci: ['CCI-002361'] - tag nist: ['AC-12'] + tag severity: "medium " + tag gtitle: "SRG-OS-000279-GPOS-00109 " + tag gid: "V-238207 " + tag rid: "SV-238207r853404_rule " + tag stig_id: "UBTU-20-010013 " + tag fix_id: "F-41376r653795_fix " + tag cci: ["CCI-002361"] + tag nist: ["AC-12"] profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split("\n").entries timeout = input('tmout').to_s @@ -74,4 +94,5 @@ end end end -end + +end \ No newline at end of file diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb index 117b511..169cc35 100644 --- a/controls/SV-238208.rb +++ b/controls/SV-238208.rb @@ -1,35 +1,39 @@ -control 'SV-238208' do +control "SV-238208" do title "The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles. " desc "Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a -functional capability, it is critical the user reauthenticate. +functional capability, it is critical the user reauthenticate." + desc "default", "Without reauthentication, users may access resources or perform tasks for which they do not +have authorization. - " - desc 'check', "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by +When operating systems provide the capability to escalate a +functional capability, it is critical the user reauthenticate." + desc "check", "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by running the following command: $ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/* If any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the -command, this is a finding. " - desc 'fix', "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or -files in the \"/etc/sudoers.d\" directory. " +command, this is a finding." + desc "fix", "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or +files in the \"/etc/sudoers.d\" directory." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000373-GPOS-00156 ' - tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157) - tag gid: 'V-238208 ' - tag rid: 'SV-238208r853405_rule ' - tag stig_id: 'UBTU-20-010014 ' - tag fix_id: 'F-41377r653798_fix ' - tag cci: ['CCI-002038'] - tag nist: ['IA-11'] + tag severity: "medium " + tag gtitle: "SRG-OS-000373-GPOS-00156 " + tag satisfies: ["SRG-OS-000373-GPOS-00156", "SRG-OS-000373-GPOS-00157"] + tag gid: "V-238208 " + tag rid: "SV-238208r853405_rule " + tag stig_id: "UBTU-20-010014 " + tag fix_id: "F-41377r653798_fix " + tag cci: ["CCI-002038"] + tag nist: ["IA-11"] describe command("egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers") do its('stdout.strip') { should be_empty } end -end + +end \ No newline at end of file diff --git a/controls/SV-238209.rb b/controls/SV-238209.rb index 38365fc..68e279a 100644 --- a/controls/SV-238209.rb +++ b/controls/SV-238209.rb @@ -1,9 +1,11 @@ -control 'SV-238209' do +control "SV-238209" do title "The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files. " desc "Setting the most restrictive default permissions ensures that when new accounts are created -they do not have unnecessary access. " - desc 'check', "Verify the Ubuntu operating system defines default permissions for all authenticated users +they do not have unnecessary access." + desc "default", "Setting the most restrictive default permissions ensures that when new accounts are created +they do not have unnecessary access." + desc "check", "Verify the Ubuntu operating system defines default permissions for all authenticated users in such a way that the user can read and modify only their own files. Verify the Ubuntu @@ -18,25 +20,26 @@ variable is set to \"000\", this is a finding with the severity raised to a CAT I. If the value of -\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding. " - desc 'fix', "Configure the system to define the default permissions for all authenticated users in such a +\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding." + desc "fix", "Configure the system to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files. Edit the \"UMASK\" parameter in the \"/etc/login.defs\" file to match the example below: -UMASK 077 " +UMASK 077" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000480-GPOS-00228 ' - tag gid: 'V-238209 ' - tag rid: 'SV-238209r653802_rule ' - tag stig_id: 'UBTU-20-010016 ' - tag fix_id: 'F-41378r653801_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00228 " + tag gid: "V-238209 " + tag rid: "SV-238209r653802_rule " + tag stig_id: "UBTU-20-010016 " + tag fix_id: "F-41378r653801_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe login_defs do its('UMASK') { should eq '077' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 9b407aa..7410d0f 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -1,4 +1,4 @@ -control 'SV-238210' do +control "SV-238210" do title "The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts. " desc "Without the use of multifactor authentication, the ease of access to privileged functions is @@ -23,10 +23,31 @@ internet). The DoD CAC with DoD-approved PKI is an example of multifactor -authentication. +authentication." + desc "default", "Without the use of multifactor authentication, the ease of access to privileged functions is +greatly increased. + +Multifactor authentication requires using two or more factors to +achieve authentication. + +Factors include: +1) something a user knows (e.g., +password/PIN); +2) something a user has (e.g., cryptographic identification device, +token); and +3) something a user is (e.g., biometric). - " - desc 'check', "Verify the Ubuntu operating system has the packages required for multifactor +A privileged account is defined as an +information system account with authorizations of a privileged user. + +Network access is +defined as access to an information system by a user (or a process acting on behalf of a user) +communicating through a network (e.g., local area network, wide area network, or the +internet). + +The DoD CAC with DoD-approved PKI is an example of multifactor +authentication." + desc "check", "Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: $ dpkg -l | grep libpam-pkcs11 @@ -47,8 +68,8 @@ If this option is set to \"no\" or is missing, this is a finding. -If conflicting results are returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to use multifactor authentication for network access +If conflicting results are returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to use multifactor authentication for network access to accounts. Add or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the @@ -57,17 +78,17 @@ auth [success=2 default=ignore] pam_pkcs11.so Set the sshd option -\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file. " +\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000105-GPOS-00052 ' - tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055) - tag gid: 'V-238210 ' - tag rid: 'SV-238210r858517_rule ' - tag stig_id: 'UBTU-20-010033 ' - tag fix_id: 'F-41379r653804_fix ' - tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768) - tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000105-GPOS-00052 " + tag satisfies: ["SRG-OS-000105-GPOS-00052", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055"] + tag gid: "V-238210 " + tag rid: "SV-238210r858517_rule " + tag stig_id: "UBTU-20-010033 " + tag fix_id: "F-41379r653804_fix " + tag cci: ["CCI-000765", "CCI-000766", "CCI-000767", "CCI-000768"] + tag nist: ["IA-2 (1)", "IA-2 (2)", "IA-2 (3)", "IA-2 (4)"] describe package('libpam-pkcs11') do it { should be_installed } @@ -76,4 +97,5 @@ describe sshd_config do its('PubkeyAuthentication') { should cmp 'yes' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 9217a80..5353d49 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -1,4 +1,4 @@ -control 'SV-238211' do +control "SV-238211" do title "The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions. " desc "Nonlocal maintenance and diagnostic activities are those activities conducted by @@ -9,8 +9,17 @@ Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or -biometric. " - desc 'check', "Verify the Ubuntu operating system is configured to use strong authenticators in the +biometric." + desc "default", "Nonlocal maintenance and diagnostic activities are those activities conducted by +individuals communicating through a network, either an external network (e.g., the +internet) or an internal network. Local maintenance and diagnostic activities are those +activities carried out by individuals physically present at the information system or +information system component and not communicating across a network connection. +Typically, strong authentication requires authenticators that are resistant to replay +attacks and employ multifactor authentication. Strong authenticators include, for +example, PKI where certificates are stored on a token protected by a password, passphrase, or +biometric." + desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance. Verify that \"UsePAM\" @@ -23,25 +32,26 @@ If \"UsePAM\" is not set to \"yes\", this is a finding. If -conflicting results are returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to use strong authentication when establishing +conflicting results are returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/ssh/sshd_config: -UsePAM yes " +UsePAM yes" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000125-GPOS-00065 ' - tag gid: 'V-238211 ' - tag rid: 'SV-238211r858519_rule ' - tag stig_id: 'UBTU-20-010035 ' - tag fix_id: 'F-41380r653807_fix ' - tag cci: ['CCI-000877'] - tag nist: ['MA-4 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000125-GPOS-00065 " + tag gid: "V-238211 " + tag rid: "SV-238211r858519_rule " + tag stig_id: "UBTU-20-010035 " + tag fix_id: "F-41380r653807_fix " + tag cci: ["CCI-000877"] + tag nist: ["MA-4 c"] describe sshd_config do its('UsePAM') { should cmp 'yes' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb index 62d35dc..ed01257 100644 --- a/controls/SV-238212.rb +++ b/controls/SV-238212.rb @@ -1,4 +1,4 @@ -control 'SV-238212' do +control "SV-238212" do title "The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity. " desc "Automatic session termination addresses the termination of user-initiated logical @@ -20,8 +20,28 @@ This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization -requires additional assurance. " - desc 'check', "Verify that all network connections associated with SSH traffic automatically terminate +requires additional assurance." + desc "default", "Automatic session termination addresses the termination of user-initiated logical +sessions in contrast to the termination of network connections that are associated with +communications sessions (i.e., network disconnect). A logical session (for local, +network, and remote access) is initiated whenever a user (or process acting on behalf of a +user) accesses an organizational information system. Such user sessions can be terminated +(and thus terminate user access) without terminating network sessions. + +Session +termination terminates all processes associated with a user's logical session except those +processes that are specifically created by the user (i.e., session owner) to continue after +the session is terminated. + +Conditions or trigger events requiring automatic session +termination can include, for example, organization-defined periods of user inactivity, +targeted responses to certain types of incidents, and time-of-day restrictions on +information system use. + +This capability is typically reserved for specific Ubuntu +operating system functionality where the system owner, data owner, or organization +requires additional assurance." + desc "check", "Verify that all network connections associated with SSH traffic automatically terminate after a period of inactivity. Verify the \"ClientAliveCountMax\" variable is set in the @@ -35,8 +55,8 @@ If \"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding. If -conflicting results are returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions +conflicting results are returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions after a period of inactivity. Modify or append the following line in the @@ -48,18 +68,19 @@ Restart the SSH daemon for the changes to take effect: $ sudo -systemctl restart sshd.service " +systemctl restart sshd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000126-GPOS-00066 ' - tag gid: 'V-238212 ' - tag rid: 'SV-238212r858521_rule ' - tag stig_id: 'UBTU-20-010036 ' - tag fix_id: 'F-41381r653810_fix ' - tag cci: ['CCI-000879'] - tag nist: ['MA-4 e'] + tag severity: "medium " + tag gtitle: "SRG-OS-000126-GPOS-00066 " + tag gid: "V-238212 " + tag rid: "SV-238212r858521_rule " + tag stig_id: "UBTU-20-010036 " + tag fix_id: "F-41381r653810_fix " + tag cci: ["CCI-000879"] + tag nist: ["MA-4 e"] describe sshd_config do its('ClientAliveCountMax') { should cmp 1 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb index 4186b72..c971880 100644 --- a/controls/SV-238213.rb +++ b/controls/SV-238213.rb @@ -1,4 +1,4 @@ -control 'SV-238213' do +control "SV-238213" do title "The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity. " desc "Terminating an idle session within a short time period reduces the window of opportunity for @@ -12,8 +12,20 @@ de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the -inactive session and releases the resources associated with that session. " - desc 'check', "Verify that all network connections associated with SSH traffic are automatically +inactive session and releases the resources associated with that session." + desc "default", "Terminating an idle session within a short time period reduces the window of opportunity for +unauthorized personnel to take control of a management session enabled on the console or +console port that has been left unattended. In addition, quickly terminating an idle session +will also free up resources committed by the managed network element. + +Terminating network +connections associated with communications sessions includes, for example, +de-allocating associated TCP/IP address/port pairs at the operating system level, and +de-allocating networking assignments at the application level if multiple application +sessions are using a single operating system-level network connection. This does not mean +that the operating system terminates all sessions or network access; it only ends the +inactive session and releases the resources associated with that session." + desc "check", "Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. Verify the @@ -28,8 +40,8 @@ If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding. If conflicting results are -returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to automatically terminate all network connections +returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. @@ -41,18 +53,19 @@ Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.service " +$ sudo systemctl restart sshd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000163-GPOS-00072 ' - tag gid: 'V-238213 ' - tag rid: 'SV-238213r858523_rule ' - tag stig_id: 'UBTU-20-010037 ' - tag fix_id: 'F-41382r653813_fix ' - tag cci: ['CCI-001133'] - tag nist: ['SC-10'] + tag severity: "medium " + tag gtitle: "SRG-OS-000163-GPOS-00072 " + tag gid: "V-238213 " + tag rid: "SV-238213r858523_rule " + tag stig_id: "UBTU-20-010037 " + tag fix_id: "F-41382r653813_fix " + tag cci: ["CCI-001133"] + tag nist: ["SC-10"] describe sshd_config do its('ClientAliveInterval') { should cmp 600 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index 98f5766..e7167fd 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -1,4 +1,4 @@ -control 'SV-238214' do +control "SV-238214" do title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system. " desc "Display of a standardized and approved use notification before granting access to the @@ -47,10 +47,55 @@ characters that can be displayed in the banner: \"I've read & consent to terms in IS user -agreem't.\" +agreem't.\"" + desc "default", "Display of a standardized and approved use notification before granting access to the +publicly accessible operating system ensures privacy and security notification verbiage +used is consistent with applicable federal laws, Executive Orders, directives, policies, +regulations, standards, and guidance. + +System use notifications are required only for +access via logon interfaces with human users and are not required when such human interfaces +do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the +following verbiage for operating systems that can accommodate banners of 1300 characters: + - " - desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user +agreem't.\"" + desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via an SSH logon with the following command: @@ -101,8 +146,8 @@ Agreement for details.\" If the banner text does not match the Standard Mandatory DoD Notice -and Consent Banner exactly, this is a finding. " - desc 'fix', "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: +and Consent Banner exactly, this is a finding." + desc "fix", "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: $ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config @@ -145,17 +190,17 @@ SSH daemon for the changes to take effect and then signal the SSH server to reload the configuration file: -$ sudo systemctl -s SIGHUP kill sshd " +$ sudo systemctl -s SIGHUP kill sshd" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000228-GPOS-00088 ' - tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006) - tag gid: 'V-238214 ' - tag rid: 'SV-238214r858525_rule ' - tag stig_id: 'UBTU-20-010038 ' - tag fix_id: 'F-41383r653816_fix ' - tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388) - tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3'] + tag severity: "medium " + tag gtitle: "SRG-OS-000228-GPOS-00088 " + tag satisfies: ["SRG-OS-000228-GPOS-00088", "SRG-OS-000023-GPOS-00006"] + tag gid: "V-238214 " + tag rid: "SV-238214r858525_rule " + tag stig_id: "UBTU-20-010038 " + tag fix_id: "F-41383r653816_fix " + tag cci: ["CCI-000048", "CCI-001384", "CCI-001385", "CCI-001386", "CCI-001387", "CCI-001388"] + tag nist: ["AC-8 a", "AC-8 c 1", "AC-8 c 2", "AC-8 c 3"] banner_text = input('banner_text') banner_files = [sshd_config.banner].flatten @@ -187,4 +232,5 @@ it { should cmp clean_banner } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb index 0ce0297..a24ecd1 100644 --- a/controls/SV-238215.rb +++ b/controls/SV-238215.rb @@ -1,4 +1,4 @@ -control 'SV-238215' do +control "SV-238215" do title "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information. " desc "Without protection of the transmitted information, confidentiality and integrity may be @@ -15,10 +15,23 @@ confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then -logical means (cryptography) do not have to be employed, and vice versa. +logical means (cryptography) do not have to be employed, and vice versa." + desc "default", "Without protection of the transmitted information, confidentiality and integrity may be +compromised because unprotected communications can be intercepted and either read or +altered. - " - desc 'check', "Verify the SSH package is installed with the following command: +This requirement applies to both internal and external networks and all types of +information system components from which information can be transmitted (e.g., servers, +mobile devices, notebook computers, printers, copiers, scanners, and facsimile +machines). Communication paths outside the physical protection of a controlled boundary +are exposed to the possibility of interception and modification. + +Protecting the +confidentiality and integrity of organizational information can be accomplished by +physical means (e.g., employing physical distribution systems) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are employed, then +logical means (cryptography) do not have to be employed, and vice versa." + desc "check", "Verify the SSH package is installed with the following command: $ sudo dpkg -l | grep openssh @@ -42,8 +55,8 @@ Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 weeks 3 days ago -If \"sshd.service\" is not active or loaded, this is a finding. " - desc 'fix', "Install the \"ssh\" meta-package on the system with the following command: +If \"sshd.service\" is not active or loaded, this is a finding." + desc "fix", "Install the \"ssh\" meta-package on the system with the following command: $ sudo apt install ssh @@ -56,17 +69,17 @@ ensure the \"ssh\" service is running $ sudo -systemctl start sshd.service " +systemctl start sshd.service" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000423-GPOS-00187 ' - tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190) - tag gid: 'V-238215 ' - tag rid: 'SV-238215r853406_rule ' - tag stig_id: 'UBTU-20-010042 ' - tag fix_id: 'F-41384r653819_fix ' - tag cci: %w(CCI-002418 CCI-002420 CCI-002422) - tag nist: ['SC-8', 'SC-8 (2)'] + tag severity: "high " + tag gtitle: "SRG-OS-000423-GPOS-00187 " + tag satisfies: ["SRG-OS-000423-GPOS-00187", "SRG-OS-000425-GPOS-00189", "SRG-OS-000426-GPOS-00190"] + tag gid: "V-238215 " + tag rid: "SV-238215r853406_rule " + tag stig_id: "UBTU-20-010042 " + tag fix_id: "F-41384r653819_fix " + tag cci: ["CCI-002418", "CCI-002420", "CCI-002422"] + tag nist: ["SC-8", "SC-8 (2)"] describe package('openssh-client') do it { should be_installed } @@ -85,4 +98,5 @@ it { should be_installed } it { should be_running } end -end + +end \ No newline at end of file diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 3490a72..0557faf 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -1,4 +1,4 @@ -control 'SV-238216' do +control "SV-238216" do title "The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during @@ -22,10 +22,28 @@ unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication -codes. +codes." + desc "default", "Without cryptographic integrity protections, information can be altered by unauthorized +users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are +those activities conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. + +Local maintenance and +diagnostic activities are those activities carried out by individuals physically present +at the information system or information system component and not communicating across a +network connection. - " - desc 'check', "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers +Encrypting information for transmission protects information from +unauthorized disclosure and modification. Cryptographic mechanisms implemented to +protect information integrity include, for example, cryptographic hash functions which +have common application in digital signatures, checksums, and message authentication +codes." + desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command: $ grep -ir macs /etc/ssh/sshd_config* @@ -36,8 +54,8 @@ If any ciphers other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is commented out, this is a finding. -If conflicting results are returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS +If conflicting results are returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers. Add the following line (or modify the line to have the required @@ -50,17 +68,17 @@ Restart the SSH daemon for the changes to take effect: $ -sudo systemctl reload sshd.service " +sudo systemctl reload sshd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000424-GPOS-00188 ' - tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173) - tag gid: 'V-238216 ' - tag rid: 'SV-238216r860820_rule ' - tag stig_id: 'UBTU-20-010043 ' - tag fix_id: 'F-41385r653822_fix ' - tag cci: %w(CCI-001453 CCI-002421 CCI-002890) - tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000424-GPOS-00188 " + tag satisfies: ["SRG-OS-000424-GPOS-00188", "SRG-OS-000250-GPOS-00093", "SRG-OS-000393-GPOS-00173"] + tag gid: "V-238216 " + tag rid: "SV-238216r860820_rule " + tag stig_id: "UBTU-20-010043 " + tag fix_id: "F-41385r653822_fix " + tag cci: ["CCI-001453", "CCI-002421", "CCI-002890"] + tag nist: ["AC-17 (2)", "SC-8 (1)", "MA-4 (6)"] @macs_array = inspec.sshd_config.params['macs'] @@ -69,4 +87,5 @@ describe @macs_array do it { should be_in %w(hmac-sha2-256 hmac-sha2-512) } end -end + +end \ No newline at end of file diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index d135ffc..71fade7 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -1,4 +1,4 @@ -control 'SV-238217' do +control "SV-238217" do title "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. " @@ -27,10 +27,34 @@ By specifying a cipher list with the order of ciphers being in a \"strongest to weakest\" orientation, the system will automatically attempt to use the strongest cipher for -securing SSH connections. +securing SSH connections." + desc "default", "Without cryptographic integrity protections, information can be altered by unauthorized +users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. + +Nonlocal maintenance and diagnostic activities are +those activities conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. + +Local maintenance and +diagnostic activities are those activities carried out by individuals physically present +at the information system or information system component and not communicating across a +network connection. + +Encrypting information for transmission protects information from +unauthorized disclosure and modification. Cryptographic mechanisms implemented to +protect information integrity include, for example, cryptographic hash functions which +have common application in digital signatures, checksums, and message authentication +codes. - " - desc 'check', "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running +By specifying a cipher list with the order of ciphers being in a \"strongest to +weakest\" orientation, the system will automatically attempt to use the strongest cipher for +securing SSH connections." + desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running the following command: $ grep -r 'Ciphers' /etc/ssh/sshd_config* @@ -42,8 +66,8 @@ \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding. If -conflicting results are returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to allow the SSH daemon to only implement +conflicting results are returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only implement FIPS-approved algorithms. Add the following line (or modify the line to have the required @@ -56,17 +80,17 @@ Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.service " +$ sudo systemctl restart sshd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000424-GPOS-00188 ' - tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174) - tag gid: 'V-238217 ' - tag rid: 'SV-238217r860821_rule ' - tag stig_id: 'UBTU-20-010044 ' - tag fix_id: 'F-41386r653825_fix ' - tag cci: %w(CCI-000068 CCI-002421 CCI-003123) - tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000424-GPOS-00188 " + tag satisfies: ["SRG-OS-000424-GPOS-00188", "SRG-OS-000033-GPOS-00014", "SRG-OS-000394-GPOS-00174"] + tag gid: "V-238217 " + tag rid: "SV-238217r860821_rule " + tag stig_id: "UBTU-20-010044 " + tag fix_id: "F-41386r653825_fix " + tag cci: ["CCI-000068", "CCI-002421", "CCI-003123"] + tag nist: ["AC-17 (2)", "SC-8 (1)", "MA-4 (6)"] @ciphers_array = inspec.sshd_config.params['ciphers'] @@ -75,4 +99,5 @@ describe @ciphers_array do it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) } end -end + +end \ No newline at end of file diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb index daead49..a6dfaf0 100644 --- a/controls/SV-238218.rb +++ b/controls/SV-238218.rb @@ -1,8 +1,10 @@ -control 'SV-238218' do - title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. ' +control "SV-238218" do + title "The Ubuntu operating system must not allow unattended or automatic login via SSH. " desc "Failure to restrict system access to authenticated users negatively impacts Ubuntu -operating system security. " - desc 'check', "Verify that unattended or automatic login via SSH is disabled with the following command: +operating system security." + desc "default", "Failure to restrict system access to authenticated users negatively impacts Ubuntu +operating system security." + desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: $ egrep -r '(Permit(.*?)(Passwords|Environment))' @@ -15,8 +17,8 @@ \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are missing completely, or are commented out, this is a finding. If conflicting results are -returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or +returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system. Add or edit the following lines in the @@ -29,19 +31,20 @@ Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart -sshd.service " +sshd.service" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000480-GPOS-00229 ' - tag gid: 'V-238218 ' - tag rid: 'SV-238218r858531_rule ' - tag stig_id: 'UBTU-20-010047 ' - tag fix_id: 'F-41387r653828_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00229 " + tag gid: "V-238218 " + tag rid: "SV-238218r858531_rule " + tag stig_id: "UBTU-20-010047 " + tag fix_id: "F-41387r653828_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe sshd_config do its('PermitEmptyPasswords') { should cmp 'no' } its('PermitUserEnvironment') { should cmp 'no' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb index e3ac804..a82ee15 100644 --- a/controls/SV-238219.rb +++ b/controls/SV-238219.rb @@ -1,4 +1,4 @@ -control 'SV-238219' do +control "SV-238219" do title "The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. " desc "The security risk of using X11 forwarding is that the client's X11 display server may be @@ -14,8 +14,22 @@ If X11 services are not required for the system's intended function, they should be disabled or -restricted as appropriate to the system’s needs. " - desc 'check', "Verify that X11Forwarding is disabled with the following command: +restricted as appropriate to the system’s needs." + desc "default", "The security risk of using X11 forwarding is that the client's X11 display server may be +exposed to attack when the SSH client requests forwarding. A System Administrator may have a +stance in which they want to protect clients that may expose themselves to attack by +unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. + +X11 +forwarding should be enabled with caution. Users with the ability to bypass file permissions +on the remote host (for the user's X11 authorization database) can access the local X11 +display through the forwarded connection. An attacker may then be able to perform activities +such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 +services are not required for the system's intended function, they should be disabled or +restricted as appropriate to the system’s needs." + desc "check", "Verify that X11Forwarding is disabled with the following command: $ grep -ir x11forwarding /etc/ssh/sshd_config* | grep -v \"^#\" @@ -26,8 +40,8 @@ \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding. If -conflicting results are returned, this is a finding. " - desc 'fix', "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" +conflicting results are returned, this is a finding." + desc "fix", "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -37,18 +51,19 @@ Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart -sshd.service " +sshd.service" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-238219 ' - tag rid: 'SV-238219r858533_rule ' - tag stig_id: 'UBTU-20-010048 ' - tag fix_id: 'F-41388r653831_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238219 " + tag rid: "SV-238219r858533_rule " + tag stig_id: "UBTU-20-010048 " + tag fix_id: "F-41388r653831_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe sshd_config do its('X11Forwarding') { should cmp 'no' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb index da865dd..176f688 100644 --- a/controls/SV-238220.rb +++ b/controls/SV-238220.rb @@ -1,12 +1,17 @@ -control 'SV-238220' do +control "SV-238220" do title "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. " desc "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from -connecting to the proxy display. " - desc 'check', "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. +connecting to the proxy display." + desc "default", "When X11 forwarding is enabled, there may be additional exposure to the server and client +displays if the sshd proxy display is configured to listen on the wildcard address. By +default, sshd binds the forwarding server to the loopback address and sets the hostname part +of the DISPLAY environment variable to localhost. This prevents remote hosts from +connecting to the proxy display." + desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. Check the SSH X11UseLocalhost setting with the following command: @@ -18,8 +23,8 @@ If the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding. If conflicting results are -returned, this is a finding. " - desc 'fix', "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. +returned, this is a finding." + desc "fix", "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" @@ -32,18 +37,19 @@ Restart the SSH daemon for the changes to take effect: $ sudo -systemctl restart sshd.service " +systemctl restart sshd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-238220 ' - tag rid: 'SV-238220r858535_rule ' - tag stig_id: 'UBTU-20-010049 ' - tag fix_id: 'F-41389r653834_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238220 " + tag rid: "SV-238220r858535_rule " + tag stig_id: "UBTU-20-010049 " + tag fix_id: "F-41389r653834_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe sshd_config do its('X11UseLocalhost') { should cmp 'yes' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb index 3731da0..7348bc9 100644 --- a/controls/SV-238221.rb +++ b/controls/SV-238221.rb @@ -1,4 +1,4 @@ -control 'SV-238221' do +control "SV-238221" do title "The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. " desc "Use of a complex password helps to increase the time and resources required to compromise the @@ -8,8 +8,16 @@ Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the -password is compromised. " - desc 'check', "Verify the Ubuntu operating system enforces password complexity by requiring that at least +password is compromised." + desc "default", "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the +password is compromised." + desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least one upper-case character be used. Determine if the field \"ucredit\" is set in the @@ -20,20 +28,20 @@ ucredit=-1 If the \"ucredit\" parameter is greater than -\"-1\" or is commented out, this is a finding. " - desc 'fix', "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter: +\"-1\" or is commented out, this is a finding." + desc "fix", "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter: -ucredit=-1 " +ucredit=-1" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000069-GPOS-00037 ' - tag gid: 'V-238221 ' - tag rid: 'SV-238221r653838_rule ' - tag stig_id: 'UBTU-20-010050 ' - tag fix_id: 'F-41390r653837_fix ' - tag cci: ['CCI-000192'] - tag nist: ['IA-5 (1) (a)'] + tag severity: "low " + tag gtitle: "SRG-OS-000069-GPOS-00037 " + tag gid: "V-238221 " + tag rid: "SV-238221r653838_rule " + tag stig_id: "UBTU-20-010050 " + tag fix_id: "F-41390r653837_fix " + tag cci: ["CCI-000192"] + tag nist: ["IA-5 (1) (a)"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -48,4 +56,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb index 7d5229e..5b2944b 100644 --- a/controls/SV-238222.rb +++ b/controls/SV-238222.rb @@ -1,4 +1,4 @@ -control 'SV-238222' do +control "SV-238222" do title "The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. " desc "Use of a complex password helps to increase the time and resources required to compromise the @@ -8,8 +8,16 @@ Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the -password is compromised. " - desc 'check', "Verify the Ubuntu operating system enforces password complexity by requiring that at least +password is compromised." + desc "default", "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the +password is compromised." + desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least one lower-case character be used. Determine if the field \"lcredit\" is set in the @@ -20,20 +28,20 @@ lcredit=-1 If the \"lcredit\" parameter is greater than -\"-1\" or is commented out, this is a finding. " - desc 'fix', "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter: +\"-1\" or is commented out, this is a finding." + desc "fix", "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter: -lcredit=-1 " +lcredit=-1" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000070-GPOS-00038 ' - tag gid: 'V-238222 ' - tag rid: 'SV-238222r653841_rule ' - tag stig_id: 'UBTU-20-010051 ' - tag fix_id: 'F-41391r653840_fix ' - tag cci: ['CCI-000193'] - tag nist: ['IA-5 (1) (a)'] + tag severity: "low " + tag gtitle: "SRG-OS-000070-GPOS-00038 " + tag gid: "V-238222 " + tag rid: "SV-238222r653841_rule " + tag stig_id: "UBTU-20-010051 " + tag fix_id: "F-41391r653840_fix " + tag cci: ["CCI-000193"] + tag nist: ["IA-5 (1) (a)"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -48,4 +56,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb index 17acbb4..b2159d6 100644 --- a/controls/SV-238223.rb +++ b/controls/SV-238223.rb @@ -1,4 +1,4 @@ -control 'SV-238223' do +control "SV-238223" do title "The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. " desc "Use of a complex password helps to increase the time and resources required to compromise the @@ -8,8 +8,16 @@ Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the -password is compromised. " - desc 'check', "Verify the Ubuntu operating system enforces password complexity by requiring that at least +password is compromised." + desc "default", "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the +password is compromised." + desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least one numeric character be used. Determine if the field \"dcredit\" is set in the @@ -20,23 +28,23 @@ dcredit=-1 If the \"dcredit\" parameter is greater than -\"-1\" or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to enforce password complexity by requiring that at +\"-1\" or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used. Add or update the \"/etc/security/pwquality.conf\" file to contain the \"dcredit\" parameter: -dcredit=-1 " +dcredit=-1" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000071-GPOS-00039 ' - tag gid: 'V-238223 ' - tag rid: 'SV-238223r653844_rule ' - tag stig_id: 'UBTU-20-010052 ' - tag fix_id: 'F-41392r653843_fix ' - tag cci: ['CCI-000194'] - tag nist: ['IA-5 (1) (a)'] + tag severity: "low " + tag gtitle: "SRG-OS-000071-GPOS-00039 " + tag gid: "V-238223 " + tag rid: "SV-238223r653844_rule " + tag stig_id: "UBTU-20-010052 " + tag fix_id: "F-41392r653843_fix " + tag cci: ["CCI-000194"] + tag nist: ["IA-5 (1) (a)"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -51,4 +59,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb index 7e07347..35a9c55 100644 --- a/controls/SV-238224.rb +++ b/controls/SV-238224.rb @@ -1,4 +1,4 @@ -control 'SV-238224' do +control "SV-238224" do title "The Ubuntu operating system must require the change of at least 8 characters when passwords are changed. " desc "If the operating system allows the user to consecutively reuse extensive portions of @@ -12,8 +12,20 @@ If the password length is an odd number then number of changed characters must be rounded up. For -example, a password length of 15 characters must require the change of at least 8 characters. " - desc 'check', "Verify the Ubuntu operating system requires the change of at least eight characters when +example, a password length of 15 characters must require the change of at least 8 characters." + desc "default", "If the operating system allows the user to consecutively reuse extensive portions of +passwords, this increases the chances of password compromise by increasing the window of +opportunity for attempts at guessing and brute-force attacks. + +The number of changed +characters refers to the number of changes required with respect to the total number of +positions in the current password. In other words, characters may be the same within the two +passwords; however, the positions of the like characters must be different. + +If the +password length is an odd number then number of changed characters must be rounded up. For +example, a password length of 15 characters must require the change of at least 8 characters." + desc "check", "Verify the Ubuntu operating system requires the change of at least eight characters when passwords are changed. Determine if the field \"difok\" is set in the @@ -24,23 +36,23 @@ difok=8 If the \"difok\" parameter is less than \"8\" or is -commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to require the change of at least eight characters when +commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to require the change of at least eight characters when passwords are changed. Add or update the \"/etc/security/pwquality.conf\" file to include the \"difok=8\" parameter: -difok=8 " +difok=8" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000072-GPOS-00040 ' - tag gid: 'V-238224 ' - tag rid: 'SV-238224r653847_rule ' - tag stig_id: 'UBTU-20-010053 ' - tag fix_id: 'F-41393r653846_fix ' - tag cci: ['CCI-000195'] - tag nist: ['IA-5 (1) (b)'] + tag severity: "low " + tag gtitle: "SRG-OS-000072-GPOS-00040 " + tag gid: "V-238224 " + tag rid: "SV-238224r653847_rule " + tag stig_id: "UBTU-20-010053 " + tag fix_id: "F-41393r653846_fix " + tag cci: ["CCI-000195"] + tag nist: ["IA-5 (1) (b)"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -55,4 +67,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb index cfbe386..3ec8e44 100644 --- a/controls/SV-238225.rb +++ b/controls/SV-238225.rb @@ -1,5 +1,5 @@ -control 'SV-238225' do - title 'The Ubuntu operating system must enforce a minimum 15-character password length. ' +control "SV-238225" do + title "The Ubuntu operating system must enforce a minimum 15-character password length. " desc "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -7,8 +7,16 @@ effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the -time and/or resources required to compromise the password. " - desc 'check', "Verify the pwquality configuration file enforces a minimum 15-character password length by +time and/or resources required to compromise the password." + desc "default", "The shorter the password, the lower the number of possible combinations that need to be tested +before the password is compromised. + +Password complexity, or strength, is a measure of the +effectiveness of a password in resisting attempts at guessing and brute-force attacks. +Password length is one factor of several that helps to determine strength and how long it takes +to crack a password. Use of more characters in a password helps to exponentially increase the +time and/or resources required to compromise the password." + desc "check", "Verify the pwquality configuration file enforces a minimum 15-character password length by running the following command: $ grep -i minlen @@ -16,23 +24,23 @@ minlen=15 If \"minlen\" parameter value is not \"15\" or -higher or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to enforce a minimum 15-character password length. +higher or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to enforce a minimum 15-character password length. Add or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file: -minlen=15 " +minlen=15" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000078-GPOS-00046 ' - tag gid: 'V-238225 ' - tag rid: 'SV-238225r832942_rule ' - tag stig_id: 'UBTU-20-010054 ' - tag fix_id: 'F-41394r653849_fix ' - tag cci: ['CCI-000205'] - tag nist: ['IA-5 (1) (a)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000078-GPOS-00046 " + tag gid: "V-238225 " + tag rid: "SV-238225r832942_rule " + tag stig_id: "UBTU-20-010054 " + tag fix_id: "F-41394r653849_fix " + tag cci: ["CCI-000205"] + tag nist: ["IA-5 (1) (a)"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -47,4 +55,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb index e608a9b..4f65401 100644 --- a/controls/SV-238226.rb +++ b/controls/SV-238226.rb @@ -1,4 +1,4 @@ -control 'SV-238226' do +control "SV-238226" do title "The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used. " desc "Use of a complex password helps to increase the time and resources required to compromise the @@ -11,32 +11,43 @@ compromised. Special characters are those characters that are not alphanumeric. -Examples include: ~ ! @ # $ % ^ *. " - desc 'check', "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the +Examples include: ~ ! @ # $ % ^ *." + desc "default", "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity or strength is a measure of the effectiveness of a password in +resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor in determining how long it takes to crack a password. The more complex the password, the +greater the number of possible combinations that need to be tested before the password is +compromised. + +Special characters are those characters that are not alphanumeric. +Examples include: ~ ! @ # $ % ^ *." + desc "check", "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the following command: $ grep -i \"ocredit\" /etc/security/pwquality.conf ocredit=-1 If -the \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to enforce password complexity by requiring that at +the \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used. Add or update the following line in the \"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter: -ocredit=-1 " +ocredit=-1" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000266-GPOS-00101 ' - tag gid: 'V-238226 ' - tag rid: 'SV-238226r653853_rule ' - tag stig_id: 'UBTU-20-010055 ' - tag fix_id: 'F-41395r653852_fix ' - tag cci: ['CCI-001619'] - tag nist: ['IA-5 (1) (a)'] + tag severity: "low " + tag gtitle: "SRG-OS-000266-GPOS-00101 " + tag gid: "V-238226 " + tag rid: "SV-238226r653853_rule " + tag stig_id: "UBTU-20-010055 " + tag fix_id: "F-41395r653852_fix " + tag cci: ["CCI-001619"] + tag nist: ["IA-5 (1) (a)"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -51,4 +62,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb index f664e1a..7f1ca5a 100644 --- a/controls/SV-238227.rb +++ b/controls/SV-238227.rb @@ -1,9 +1,12 @@ -control 'SV-238227' do - title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. ' +control "SV-238227" do + title "The Ubuntu operating system must prevent the use of dictionary words for passwords. " desc "If the Ubuntu operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for -successful guesses and brute-force attacks. " - desc 'check', "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of +successful guesses and brute-force attacks." + desc "default", "If the Ubuntu operating system allows the user to select passwords based on dictionary words, +then this increases the chances of password compromise by increasing the opportunity for +successful guesses and brute-force attacks." + desc "check", "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of dictionary words with the following command: $ grep dictcheck @@ -12,23 +15,23 @@ dictcheck=1 If the \"dictcheck\" parameter is not set to -\"1\" or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. +\"1\" or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. Add or update the following line in the \"/etc/security/pwquality.conf\" file to include the \"dictcheck=1\" parameter: -dictcheck=1 " +dictcheck=1" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000480-GPOS-00225 ' - tag gid: 'V-238227 ' - tag rid: 'SV-238227r653856_rule ' - tag stig_id: 'UBTU-20-010056 ' - tag fix_id: 'F-41396r653855_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00225 " + tag gid: "V-238227 " + tag rid: "SV-238227r653856_rule " + tag stig_id: "UBTU-20-010056 " + tag fix_id: "F-41396r653855_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -43,4 +46,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index 39bd11c..10358fd 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -1,12 +1,17 @@ -control 'SV-238228' do +control "SV-238228" do title "The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. " desc "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the -system. " - desc 'check', "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running +system." + desc "default", "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex +password construction configuration and has the ability to limit brute-force attacks on the +system." + desc "check", "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running the following command: $ dpkg -l libpam-pwquality @@ -43,8 +48,8 @@ commented out, this is a finding. If the value of \"retry\" is set to \"0\" or greater than \"3\", -this is a finding. " - desc 'fix', "Configure the operating system to use \"pwquality\" to enforce password complexity rules. +this is a finding." + desc "fix", "Configure the operating system to use \"pwquality\" to enforce password complexity rules. Install the \"pam_pwquality\" package by using the following command: @@ -64,16 +69,16 @@ requisite pam_pwquality.so retry=3 Note: The value of \"retry\" should be between \"1\" and -\"3\". " +\"3\"." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000480-GPOS-00225 ' - tag gid: 'V-238228 ' - tag rid: 'SV-238228r653859_rule ' - tag stig_id: 'UBTU-20-010057 ' - tag fix_id: 'F-41397r653858_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00225 " + tag gid: "V-238228 " + tag rid: "SV-238228r653859_rule " + tag stig_id: "UBTU-20-010057 " + tag fix_id: "F-41397r653858_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe package('libpam-pwquality') do it { should be_installed } @@ -86,4 +91,5 @@ describe file('/etc/pam.d/common-password') do its('content') { should match '^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index 62f4eb9..509fac3 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -1,4 +1,4 @@ -control 'SV-238229' do +control "SV-238229" do title "The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. " @@ -21,8 +21,28 @@ to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the -certificate status information is out of scope for this requirement. " - desc 'check', "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates +certificate status information is out of scope for this requirement." + desc "default", "Without path validation, an informed trust decision by the relying party cannot be made when +presented with any certificate not already explicitly trusted. + +A trust anchor is an +authoritative entity represented via a public key and associated data. It is used in the +context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When +there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can +be, for example, a Certification Authority (CA). A certification path starts with the +subject certificate and proceeds through a number of intermediate certificates up to a +trusted root certificate, typically issued by a trusted CA. + +This requirement verifies +that a certification path to an accepted trust anchor is used for certificate validation and +that the path includes status information. Path validation is necessary for a relying party +to make an informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes certificate +revocation lists or online certificate status protocol responses. Validation of the +certificate status information is out of scope for this requirement." + desc "check", "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates by constructing a certification path to an accepted trust anchor. Determine which pkcs11 @@ -37,8 +57,8 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs ca,signature,ocsp_on; If \"cert_policy\" is not set to \"ca\" or the line is commented out, -this is a finding. " - desc 'fix', "Configure the Ubuntu operating system, for PKI-based authentication, to validate +this is a finding." + desc "fix", "Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor. Determine @@ -54,16 +74,16 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs If the system is missing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify accordingly at -\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " +\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000066-GPOS-00034 ' - tag gid: 'V-238229 ' - tag rid: 'SV-238229r653862_rule ' - tag stig_id: 'UBTU-20-010060 ' - tag fix_id: 'F-41398r653861_fix ' - tag cci: ['CCI-000185'] - tag nist: ['IA-5 (2) (b) (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000066-GPOS-00034 " + tag gid: "V-238229 " + tag rid: "SV-238229r653862_rule " + tag stig_id: "UBTU-20-010060 " + tag fix_id: "F-41398r653861_fix " + tag cci: ["CCI-000185"] + tag nist: ["IA-5 (2) (b) (1)"] config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists @@ -77,4 +97,5 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index 1c09f9d..f077f98 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -1,4 +1,4 @@ -control 'SV-238230' do +control "SV-238230" do title "The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. " @@ -23,8 +23,30 @@ This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring -the device itself (management). " - desc 'check', "Verify the Ubuntu operating system has the packages required for multifactor +the device itself (management)." + desc "default", "Using an authentication device, such as a CAC or token that is separate from the information +system, ensures that even if the information system is compromised, that compromise will not +affect credentials stored on the authentication device. + +Multifactor solutions that +require devices separate from information systems gaining access include, for example, +hardware tokens providing time-based or challenge-response authenticators and smart +cards such as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + +A privileged account is defined as an information system account with +authorizations of a privileged user. + +Remote access is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. + +This requirement only applies to components where this +is specific to the function of the device or has the concept of an organizational user (e.g., +VPN, proxy capability). This does not apply to authentication for the purpose of configuring +the device itself (management)." + desc "check", "Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: $ dpkg -l | grep libpam-pkcs11 @@ -33,25 +55,26 @@ libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards If the -\"libpam-pkcs11\" package is not installed, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to implement multifactor authentication by +\"libpam-pkcs11\" package is not installed, this is a finding." + desc "fix", "Configure the Ubuntu operating system to implement multifactor authentication by installing the required packages. Install the \"libpam-pkcs11\" package on the system with the following command: -$ sudo apt install libpam-pkcs11 " +$ sudo apt install libpam-pkcs11" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000375-GPOS-00160 ' - tag gid: 'V-238230 ' - tag rid: 'SV-238230r853410_rule ' - tag stig_id: 'UBTU-20-010063 ' - tag fix_id: 'F-41399r653864_fix ' - tag cci: ['CCI-001948'] - tag nist: ['IA-2 (11)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000375-GPOS-00160 " + tag gid: "V-238230 " + tag rid: "SV-238230r853410_rule " + tag stig_id: "UBTU-20-010063 " + tag fix_id: "F-41399r653864_fix " + tag cci: ["CCI-001948"] + tag nist: ["IA-2 (11)"] describe package('libpam-pkcs11') do it { should be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb index 907f5ef..003f396 100644 --- a/controls/SV-238231.rb +++ b/controls/SV-238231.rb @@ -1,13 +1,20 @@ -control 'SV-238231' do - title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ' +control "SV-238231" do + title "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. " desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security -systems. " - desc 'check', "Verify the Ubuntu operating system accepts PIV credentials. +systems." + desc "default", "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized +access. + +DoD has mandated the use of the CAC to support identity management and personal +authentication for systems covered under Homeland Security Presidential Directive (HSPD) +12, as well as making the CAC a primary component of layered protection for national security +systems." + desc "check", "Verify the Ubuntu operating system accepts PIV credentials. Verify the \"opensc-pcks11\" package is installed on the system with the following command: @@ -19,25 +26,26 @@ support for PKCS#15 compatible cards If the \"opensc-pcks11\" package is not installed, -this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to accept PIV credentials. +this is a finding." + desc "fix", "Configure the Ubuntu operating system to accept PIV credentials. Install the \"opensc-pkcs11\" package using the following command: $ sudo apt-get install -opensc-pkcs11 " +opensc-pkcs11" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000376-GPOS-00161 ' - tag gid: 'V-238231 ' - tag rid: 'SV-238231r853411_rule ' - tag stig_id: 'UBTU-20-010064 ' - tag fix_id: 'F-41400r653867_fix ' - tag cci: ['CCI-001953'] - tag nist: ['IA-2 (12)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000376-GPOS-00161 " + tag gid: "V-238231 " + tag rid: "SV-238231r853411_rule " + tag stig_id: "UBTU-20-010064 " + tag fix_id: "F-41400r653867_fix " + tag cci: ["CCI-001953"] + tag nist: ["IA-2 (12)"] describe package('opensc-pkcs11') do it { should be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index 448cc9b..96d9560 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -1,4 +1,4 @@ -control 'SV-238232' do +control "SV-238232" do title "The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials. " desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized @@ -7,8 +7,15 @@ DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security -systems. " - desc 'check', "Verify the Ubuntu operating system electronically verifies PIV credentials. +systems." + desc "default", "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized +access. + +DoD has mandated the use of the CAC to support identity management and personal +authentication for systems covered under Homeland Security Presidential Directive (HSPD) +12, as well as making the CAC a primary component of layered protection for national security +systems." + desc "check", "Verify the Ubuntu operating system electronically verifies PIV credentials. Verify that certificate status checking for multifactor authentication is implemented with the @@ -21,21 +28,21 @@ cert_policy = ca,signature,ocsp_on; If \"cert_policy\" is not set to -\"ocsp_on\", or the line is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to do certificate status checking for multifactor +\"ocsp_on\", or the line is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to do certificate status checking for multifactor authentication. Modify all of the \"cert_policy\" lines in -\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\". " +\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000377-GPOS-00162 ' - tag gid: 'V-238232 ' - tag rid: 'SV-238232r853412_rule ' - tag stig_id: 'UBTU-20-010065 ' - tag fix_id: 'F-41401r653870_fix ' - tag cci: ['CCI-001954'] - tag nist: ['IA-2 (12)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000377-GPOS-00162 " + tag gid: "V-238232 " + tag rid: "SV-238232r853412_rule " + tag stig_id: "UBTU-20-010065 " + tag fix_id: "F-41401r653870_fix " + tag cci: ["CCI-001954"] + tag nist: ["IA-2 (12)"] config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists @@ -48,4 +55,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 3ef0e9b..0c565d7 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -1,9 +1,11 @@ -control 'SV-238233' do +control "SV-238233" do title "The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network. " desc "Without configuring a local cache of revocation data, there is the potential to allow access -to users who are no longer authorized (users with revoked certificates). " - desc 'check', "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation +to users who are no longer authorized (users with revoked certificates)." + desc "default", "Without configuring a local cache of revocation data, there is the potential to allow access +to users who are no longer authorized (users with revoked certificates)." + desc "check", "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network. Verify that \"crl_offline\" or \"crl_auto\" is @@ -16,8 +18,8 @@ cert_policy = ca,signature,ocsp_on,crl_auto; If -\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding. " - desc 'fix', "Configure the Ubuntu operating system, for PKI-based authentication, to use local +\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding." + desc "fix", "Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add or update the @@ -29,16 +31,16 @@ If the system is missing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify accordingly at -\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " +\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000384-GPOS-00167 ' - tag gid: 'V-238233 ' - tag rid: 'SV-238233r853413_rule ' - tag stig_id: 'UBTU-20-010066 ' - tag fix_id: 'F-41402r653873_fix ' - tag cci: ['CCI-001991'] - tag nist: ['IA-5 (2) (d)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000384-GPOS-00167 " + tag gid: "V-238233 " + tag rid: "SV-238233r853413_rule " + tag stig_id: "UBTU-20-010066 " + tag fix_id: "F-41402r653873_fix " + tag cci: ["CCI-001991"] + tag nist: ["IA-5 (2) (d)"] config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists @@ -56,4 +58,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index db87059..51dc477 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -1,13 +1,16 @@ -control 'SV-238234' do - title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ' +control "SV-238234" do + title "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. " desc "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy -requirements. - - " - desc 'check', "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five +requirements." + desc "default", "Password complexity, or strength, is a measure of the effectiveness of a password in +resisting attempts at guessing and brute-force attacks. If the information system or +application allows the user to consecutively reuse their password when that password has +exceeded its defined lifetime, the end result is a password that is not changed as per policy +requirements." + desc "check", "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command: $ grep -i remember @@ -17,25 +20,25 @@ sha512 shadow remember=5 rounds=5000 If the \"remember\" parameter value is not greater -than or equal to \"5\", is commented out, or is not set at all, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of +than or equal to \"5\", is commented out, or is not set at all, this is a finding." + desc "fix", "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of five generations. Add or modify the \"remember\" parameter value to the following line in \"/etc/pam.d/common-password\" file: password [success=1 default=ignore] pam_unix.so -obscure sha512 shadow remember=5 rounds=5000 " +obscure sha512 shadow remember=5 rounds=5000" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000077-GPOS-00045 ' - tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041) - tag gid: 'V-238234 ' - tag rid: 'SV-238234r832945_rule ' - tag stig_id: 'UBTU-20-010070 ' - tag fix_id: 'F-41403r832944_fix ' - tag cci: %w(CCI-000196 CCI-000200) - tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)'] + tag severity: "low " + tag gtitle: "SRG-OS-000077-GPOS-00045 " + tag satisfies: ["SRG-OS-000077-GPOS-00045", "SRG-OS-000073-GPOS-00041"] + tag gid: "V-238234 " + tag rid: "SV-238234r832945_rule " + tag stig_id: "UBTU-20-010070 " + tag fix_id: "F-41403r832944_fix " + tag cci: ["CCI-000196", "CCI-000200"] + tag nist: ["IA-5 (1) (c)", "IA-5 (1) (e)"] describe file('/etc/pam.d/common-password') do it { should exist } @@ -45,4 +48,5 @@ its('exit_status') { should eq 0 } its('stdout.strip') { should cmp >= 5 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index bd1c9d1..52e593c 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -1,12 +1,13 @@ -control 'SV-238235' do +control "SV-238235" do title "The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made. " desc "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by -locking the account. - - " - desc 'check', "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the +locking the account." + desc "default", "By limiting the number of failed logon attempts, the risk of unauthorized system access via +user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by +locking the account." + desc "check", "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the following command: $ grep faillock /etc/pam.d/common-auth @@ -38,8 +39,8 @@ If the \"fail_interval\" keyword is missing, commented out, or set to a value greater than 900, this is a finding. If the -\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module. +\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding." + desc "fix", "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module. Edit the /etc/pam.d/common-auth file. @@ -59,17 +60,17 @@ silent deny = 3 fail_interval = 900 -unlock_time = 0 " +unlock_time = 0" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000329-GPOS-00128 ' - tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005) - tag gid: 'V-238235 ' - tag rid: 'SV-238235r853414_rule ' - tag stig_id: 'UBTU-20-010072 ' - tag fix_id: 'F-41404r802382_fix ' - tag cci: %w(CCI-000044 CCI-002238) - tag nist: ['AC-7 a', 'AC-7 b'] + tag severity: "low " + tag gtitle: "SRG-OS-000329-GPOS-00128 " + tag satisfies: ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"] + tag gid: "V-238235 " + tag rid: "SV-238235r853414_rule " + tag stig_id: "UBTU-20-010072 " + tag fix_id: "F-41404r802382_fix " + tag cci: ["CCI-000044", "CCI-002238"] + tag nist: ["AC-7 a", "AC-7 b"] describe file('/etc/pam.d/common-auth') do it { should exist } @@ -80,4 +81,5 @@ its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } end -end + +end \ No newline at end of file diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb index 3e95ddb..eb030fd 100644 --- a/controls/SV-238236.rb +++ b/controls/SV-238236.rb @@ -1,4 +1,4 @@ -control 'SV-238236' do +control "SV-238236" do title "The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. " desc "Without verification of the security functions, security functions may not operate @@ -16,8 +16,24 @@ This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this -functionality. " - desc 'check', "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to +functionality." + desc "default", "Without verification of the security functions, security functions may not operate +correctly and the failure may go unnoticed. Security function is defined as the hardware, +software, and/or firmware of the information system responsible for enforcing the system +security policy and supporting the isolation of code and data on which the protection is +based. Security functionality includes, but is not limited to, establishing system +accounts, configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + +Notifications +provided by information systems include, for example, electronic alerts to System +Administrators, messages to local computer consoles, and/or hardware indications, such as +lights. + +This requirement applies to the Ubuntu operating system performing security +function verification/testing and/or systems and environments that require this +functionality." + desc "check", "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged. Download the original aide-common @@ -42,8 +58,8 @@ If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the -daily or monthly cron directory does not match the SHA1 of the original, this is a finding. " - desc 'fix', "The cron file for AIDE is fairly complex as it creates the report. This file is installed with +daily or monthly cron directory does not match the SHA1 of the original, this is a finding." + desc "fix", "The cron file for AIDE is fairly complex as it creates the report. This file is installed with the \"aide-common\" package, and the default can be restored by copying it from the package: @@ -61,18 +77,19 @@ Copy it to the cron.daily directory: $ sudo cp -f -/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide " +/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000446-GPOS-00200 ' - tag gid: 'V-238236 ' - tag rid: 'SV-238236r853415_rule ' - tag stig_id: 'UBTU-20-010074 ' - tag fix_id: 'F-41405r653882_fix ' - tag cci: ['CCI-002699'] - tag nist: ['SI-6 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000446-GPOS-00200 " + tag gid: "V-238236 " + tag rid: "SV-238236r853415_rule " + tag stig_id: "UBTU-20-010074 " + tag fix_id: "F-41405r653882_fix " + tag cci: ["CCI-002699"] + tag nist: ["SI-6 b"] describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do skip('manual test') end -end + +end \ No newline at end of file diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index 4b16231..1e1439f 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -1,9 +1,11 @@ -control 'SV-238237' do +control "SV-238237" do title "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. " desc "Limiting the number of logon attempts over a certain time interval reduces the chances that an -unauthorized user may gain access to an account. " - desc 'check', "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon +unauthorized user may gain access to an account." + desc "default", "Limiting the number of logon attempts over a certain time interval reduces the chances that an +unauthorized user may gain access to an account." + desc "check", "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts following a failed logon attempt with the following command: $ grep pam_faildelay @@ -12,24 +14,24 @@ auth required pam_faildelay.so delay=4000000 If the line is -not present or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon +not present or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Edit the file \"/etc/pam.d/common-auth\" and set the parameter \"pam_faildelay\" to a value of 4000000 or greater: auth required -pam_faildelay.so delay=4000000 " +pam_faildelay.so delay=4000000" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000480-GPOS-00226 ' - tag gid: 'V-238237 ' - tag rid: 'SV-238237r653886_rule ' - tag stig_id: 'UBTU-20-010075 ' - tag fix_id: 'F-41406r653885_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "low " + tag gtitle: "SRG-OS-000480-GPOS-00226 " + tag gid: "V-238237 " + tag rid: "SV-238237r653886_rule " + tag stig_id: "UBTU-20-010075 " + tag fix_id: "F-41406r653885_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe file('/etc/pam.d/common-auth') do it { should exist } @@ -45,4 +47,5 @@ it { should cmp >= 4_000_000 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index 3d098d2..ae84ad0 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -1,4 +1,4 @@ -control 'SV-238238' do +control "SV-238238" do title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. " desc "Once an attacker establishes access to a system, the attacker often attempts to create a @@ -8,10 +8,16 @@ To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. +exceed access control policy requirements." + desc "default", "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. - " - desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements." + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\". Check the @@ -27,8 +33,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above. " - desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\". Add or @@ -40,17 +46,17 @@ To reload the rules file, issue the following command: $ sudo -augenrules --load " +augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000004-GPOS-00004 ' - tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221) - tag gid: 'V-238238 ' - tag rid: 'SV-238238r853416_rule ' - tag stig_id: 'UBTU-20-010100 ' - tag fix_id: 'F-41407r653888_fix ' - tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) - tag nist: ['AC-2 (4)', 'AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000463-GPOS-00207", "SRG-OS-000476-GPOS-00221"] + tag gid: "V-238238 " + tag rid: "SV-238238r853416_rule " + tag stig_id: "UBTU-20-010100 " + tag fix_id: "F-41407r653888_fix " + tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] + tag nist: ["AC-2 (4)", "AU-12 c"] @audit_file = '/etc/passwd' @@ -75,4 +81,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index 7f6e1d3..b1f9fe9 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -1,4 +1,4 @@ -control 'SV-238239' do +control "SV-238239" do title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. " desc "Once an attacker establishes access to a system, the attacker often attempts to create a @@ -8,10 +8,16 @@ To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. +exceed access control policy requirements." + desc "default", "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. - " - desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements." + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\". Check the @@ -27,8 +33,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above. " - desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\". Add or @@ -40,17 +46,17 @@ To reload the rules file, issue the following command: $ sudo -augenrules --load " +augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000004-GPOS-00004 ' - tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) - tag gid: 'V-238239 ' - tag rid: 'SV-238239r853417_rule ' - tag stig_id: 'UBTU-20-010101 ' - tag fix_id: 'F-41408r653891_fix ' - tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) - tag nist: ['AC-2 (4)', 'AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] + tag gid: "V-238239 " + tag rid: "SV-238239r853417_rule " + tag stig_id: "UBTU-20-010101 " + tag fix_id: "F-41408r653891_fix " + tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] + tag nist: ["AC-2 (4)", "AU-12 c"] @audit_file = '/etc/group' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -74,4 +80,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index 6d560ca..5a15d6f 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -1,4 +1,4 @@ -control 'SV-238240' do +control "SV-238240" do title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. " desc "Once an attacker establishes access to a system, the attacker often attempts to create a @@ -8,10 +8,16 @@ To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. +exceed access control policy requirements." + desc "default", "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. - " - desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements." + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/shadow\". Check the @@ -27,8 +33,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above. " - desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/shadow\". Add or @@ -40,17 +46,17 @@ To reload the rules file, issue the following command: $ sudo -augenrules --load " +augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000004-GPOS-00004 ' - tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) - tag gid: 'V-238240 ' - tag rid: 'SV-238240r853418_rule ' - tag stig_id: 'UBTU-20-010102 ' - tag fix_id: 'F-41409r653894_fix ' - tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) - tag nist: ['AC-2 (4)', 'AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] + tag gid: "V-238240 " + tag rid: "SV-238240r853418_rule " + tag stig_id: "UBTU-20-010102 " + tag fix_id: "F-41409r653894_fix " + tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] + tag nist: ["AC-2 (4)", "AU-12 c"] @audit_file = '/etc/shadow' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -74,4 +80,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index 07c3f71..d1c360a 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -1,4 +1,4 @@ -control 'SV-238241' do +control "SV-238241" do title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. " desc "Once an attacker establishes access to a system, the attacker often attempts to create a @@ -8,10 +8,16 @@ To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. +exceed access control policy requirements." + desc "default", "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. - " - desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements." + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\". Check the @@ -27,8 +33,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above. " - desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\". Add or @@ -40,17 +46,17 @@ To reload the rules file, issue the following command: $ sudo -augenrules --load " +augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000004-GPOS-00004 ' - tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) - tag gid: 'V-238241 ' - tag rid: 'SV-238241r853419_rule ' - tag stig_id: 'UBTU-20-010103 ' - tag fix_id: 'F-41410r653897_fix ' - tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) - tag nist: ['AU-12 c', 'AC-2 (4)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] + tag gid: "V-238241 " + tag rid: "SV-238241r853419_rule " + tag stig_id: "UBTU-20-010103 " + tag fix_id: "F-41410r653897_fix " + tag cci: ["CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] + tag nist: ["AU-12 c", "AC-2 (4)"] @audit_file = '/etc/gshadow' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -74,4 +80,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index ba0986f..4ee2ea8 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -1,4 +1,4 @@ -control 'SV-238242' do +control "SV-238242" do title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. " desc "Once an attacker establishes access to a system, the attacker often attempts to create a @@ -8,10 +8,16 @@ To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. +exceed access control policy requirements." + desc "default", "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. - " - desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements." + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/security/opasswd\". @@ -27,8 +33,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above. " - desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +not need to match the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/security/opasswd\". @@ -40,17 +46,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000004-GPOS-00004 ' - tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) - tag gid: 'V-238242 ' - tag rid: 'SV-238242r853420_rule ' - tag stig_id: 'UBTU-20-010104 ' - tag fix_id: 'F-41411r653900_fix ' - tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) - tag nist: ['AC-2 (4)', 'AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] + tag gid: "V-238242 " + tag rid: "SV-238242r853420_rule " + tag stig_id: "UBTU-20-010104 " + tag fix_id: "F-41411r653900_fix " + tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] + tag nist: ["AC-2 (4)", "AU-12 c"] @audit_file = '/etc/security/opasswd' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -74,4 +80,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index cf7f724..73888be 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -1,4 +1,4 @@ -control 'SV-238243' do +control "SV-238243" do title "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. " desc "It is critical for the appropriate personnel to be aware if a system is at risk of failing to @@ -13,8 +13,21 @@ This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or -both. " - desc 'check', "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing +both." + desc "default", "It is critical for the appropriate personnel to be aware if a system is at risk of failing to +process audit logs as required. Without this notification, the security personnel may be +unaware of an impending failure of the audit capability, and system operation may be +adversely affected. + +Audit processing failures include software/hardware errors, +failures in the audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct +information system component where audit records are stored), the centralized audit +storage capacity of organizations (i.e., all audit data storage repositories combined), or +both." + desc "check", "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command: $ sudo grep '^action_mail_acct = root' @@ -25,8 +38,8 @@ If the value of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the \"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a -finding. " - desc 'fix', "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing +finding." + desc "fix", "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing failure. Edit the following line in \"/etc/audit/auditd.conf\" to ensure administrators @@ -41,16 +54,16 @@ Restart the \"auditd\" service so the changes take effect: $ sudo -systemctl restart auditd.service " +systemctl restart auditd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000046-GPOS-00022 ' - tag gid: 'V-238243 ' - tag rid: 'SV-238243r653904_rule ' - tag stig_id: 'UBTU-20-010117 ' - tag fix_id: 'F-41412r653903_fix ' - tag cci: ['CCI-000139'] - tag nist: ['AU-5 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000046-GPOS-00022 " + tag gid: "V-238243 " + tag rid: "SV-238243r653904_rule " + tag stig_id: "UBTU-20-010117 " + tag fix_id: "F-41412r653903_fix " + tag cci: ["CCI-000139"] + tag nist: ["AU-5 a"] action_mail_acct = auditd_conf.action_mail_acct security_accounts = input('action_mail_acct') @@ -59,4 +72,5 @@ subject { security_accounts } it { should cmp action_mail_acct } end -end + +end \ No newline at end of file diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index d8e7592..59d2fbd 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -1,4 +1,4 @@ -control 'SV-238244' do +control "SV-238244" do title "The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern). " desc "It is critical that when the operating system is at risk of failing to process audit logs as @@ -20,8 +20,28 @@ fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the -local audit data with the collection server. " - desc 'check', "Verify the Ubuntu operating system takes the appropriate action when the audit storage +local audit data with the collection server." + desc "default", "It is critical that when the operating system is at risk of failing to process audit logs as +required, it takes action to mitigate the failure. Audit processing failures include: +software/hardware errors; failures in the audit capturing mechanisms; and audit storage +capacity being reached or exceeded. Responses to audit failure depend upon the nature of the +failure mode. + +When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit +record storage capacity, the operating system must continue generating audit records if +possible (automatically restarting the audit service if necessary), overwriting the +oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a +centralized collection server and communication with this server is lost or the server +fails, the operating system must queue audit records locally until communication is +restored or until the audit records are retrieved manually. Upon restoration of the +connection to the centralized collection server, action should be taken to synchronize the +local audit data with the collection server." + desc "check", "Verify the Ubuntu operating system takes the appropriate action when the audit storage volume is full with the following command: $ sudo grep '^disk_full_action' @@ -31,8 +51,8 @@ If the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented -out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to shut down by default upon audit failure (unless +out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on @@ -44,19 +64,20 @@ Restart the \"auditd\" service so the changes take effect: -$ sudo systemctl restart auditd.service " +$ sudo systemctl restart auditd.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000047-GPOS-00023 ' - tag gid: 'V-238244 ' - tag rid: 'SV-238244r653907_rule ' - tag stig_id: 'UBTU-20-010118 ' - tag fix_id: 'F-41413r653906_fix ' - tag cci: ['CCI-000140'] - tag nist: ['AU-5 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000047-GPOS-00023 " + tag gid: "V-238244 " + tag rid: "SV-238244r653907_rule " + tag stig_id: "UBTU-20-010118 " + tag fix_id: "F-41413r653906_fix " + tag cci: ["CCI-000140"] + tag nist: ["AU-5 b"] describe auditd_conf do its('disk_full_action') { should_not be_empty } its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } end -end + +end \ No newline at end of file diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index 0955631..46ee253 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -1,4 +1,4 @@ -control 'SV-238245' do +control "SV-238245" do title "The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users. " desc "Unauthorized disclosure of audit records can reveal system and configuration data to @@ -6,10 +6,14 @@ Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully -audit operating system activity. +audit operating system activity." + desc "default", "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. - " - desc 'check', "Verify that the audit log files have a mode of \"0600\" or less permissive. +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit operating system activity." + desc "check", "Verify that the audit log files have a mode of \"0600\" or less permissive. Determine where the audit logs are stored with the following command: @@ -27,8 +31,8 @@ /var/log/audit/audit.log 600 If the audit log files have a mode more permissive than -\"0600\", this is a finding. " - desc 'fix', "Configure the audit log files to have a mode of \"0600\" or less permissive. +\"0600\", this is a finding." + desc "fix", "Configure the audit log files to have a mode of \"0600\" or less permissive. Determine where the audit logs are stored with the following command: @@ -41,17 +45,17 @@ directory containing the audit logs, configure the audit log files to have a mode of \"0600\" or less permissive by using the following command: -$ sudo chmod 0600 /var/log/audit/* " +$ sudo chmod 0600 /var/log/audit/*" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000057-GPOS-00027 ' - tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028) - tag gid: 'V-238245 ' - tag rid: 'SV-238245r653910_rule ' - tag stig_id: 'UBTU-20-010122 ' - tag fix_id: 'F-41414r653909_fix ' - tag cci: %w(CCI-000162 CCI-000163) - tag nist: ['AU-9 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000057-GPOS-00027 " + tag satisfies: ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028"] + tag gid: "V-238245 " + tag rid: "SV-238245r653910_rule " + tag stig_id: "UBTU-20-010122 " + tag fix_id: "F-41414r653909_fix " + tag cci: ["CCI-000162", "CCI-000163"] + tag nist: ["AU-9 a"] log_file = auditd_conf.log_file @@ -66,4 +70,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index 6e412c4..8a5ba8c 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -1,4 +1,4 @@ -control 'SV-238246' do +control "SV-238246" do title "The Ubuntu operating system must be configured to permit only authorized users ownership of the audit log files. " desc "Unauthorized disclosure of audit records can reveal system and configuration data to @@ -6,10 +6,14 @@ Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully -audit operating system activity. +audit operating system activity." + desc "default", "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. - " - desc 'check', "Verify the audit log files are owned by \"root\" account. +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit operating system activity." + desc "check", "Verify the audit log files are owned by \"root\" account. Determine where the audit logs are stored with the following command: @@ -26,8 +30,8 @@ /var/log/audit/audit.log root If the -audit log files are owned by an user other than \"root\", this is a finding. " - desc 'fix', "Configure the audit log directory and its underlying files to be owned by \"root\" user. +audit log files are owned by an user other than \"root\", this is a finding." + desc "fix", "Configure the audit log directory and its underlying files to be owned by \"root\" user. Determine where the audit logs are stored with the following command: @@ -40,17 +44,17 @@ of the directory containing the audit logs, configure the audit log files to be owned by \"root\" user by using the following command: -$ sudo chown root /var/log/audit/* " +$ sudo chown root /var/log/audit/*" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000057-GPOS-00027 ' - tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029) - tag gid: 'V-238246 ' - tag rid: 'SV-238246r653913_rule ' - tag stig_id: 'UBTU-20-010123 ' - tag fix_id: 'F-41415r653912_fix ' - tag cci: ['CCI-000162'] - tag nist: ['AU-9 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000057-GPOS-00027 " + tag satisfies: ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029"] + tag gid: "V-238246 " + tag rid: "SV-238246r653913_rule " + tag stig_id: "UBTU-20-010123 " + tag fix_id: "F-41415r653912_fix " + tag cci: ["CCI-000162"] + tag nist: ["AU-9 a"] log_file = auditd_conf.log_file @@ -65,4 +69,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index 62f5531..d487828 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -1,4 +1,4 @@ -control 'SV-238247' do +control "SV-238247" do title "The Ubuntu operating system must permit only authorized groups ownership of the audit log files. " desc "Unauthorized disclosure of audit records can reveal system and configuration data to @@ -6,10 +6,14 @@ Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully -audit operating system activity. +audit operating system activity." + desc "default", "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. - " - desc 'check', "Verify the group owner is set to own newly created audit logs in the audit configuration file +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit operating system activity." + desc "check", "Verify the group owner is set to own newly created audit logs in the audit configuration file with the following command: $ sudo grep -iw log_group /etc/audit/auditd.conf log_group = @@ -31,8 +35,8 @@ /var/log/audit/audit.log root If the audit log files are owned by a group other than -\"root\", this is a finding. " - desc 'fix', "Configure the audit log directory and its underlying files to be owned by \"root\" group. +\"root\", this is a finding." + desc "fix", "Configure the audit log directory and its underlying files to be owned by \"root\" group. Set the \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log @@ -44,17 +48,17 @@ Last, signal the audit daemon to reload the configuration file to update the group owners of existing files: -$ sudo systemctl kill auditd -s SIGHUP " +$ sudo systemctl kill auditd -s SIGHUP" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000057-GPOS-00027 ' - tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029) - tag gid: 'V-238247 ' - tag rid: 'SV-238247r832947_rule ' - tag stig_id: 'UBTU-20-010124 ' - tag fix_id: 'F-41416r832946_fix ' - tag cci: ['CCI-000162'] - tag nist: ['AU-9 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000057-GPOS-00027 " + tag satisfies: ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029"] + tag gid: "V-238247 " + tag rid: "SV-238247r832947_rule " + tag stig_id: "UBTU-20-010124 " + tag fix_id: "F-41416r832946_fix " + tag cci: ["CCI-000162"] + tag nist: ["AU-9 a"] log_file = auditd_conf.log_file @@ -69,4 +73,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index 7dc6686..6142ebe 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -1,4 +1,4 @@ -control 'SV-238248' do +control "SV-238248" do title "The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users. " desc "If audit information were to become compromised, then forensic analysis and discovery of the @@ -11,8 +11,19 @@ Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully -audit information system activity. " - desc 'check', "Verify that the audit log directory has a mode of \"0750\" or less permissive. +audit information system activity." + desc "default", "If audit information were to become compromised, then forensic analysis and discovery of the +true source of potentially malicious system activity is impossible to achieve. + +To ensure +the veracity of audit information, the operating system must protect audit information from +unauthorized deletion. This requirement can be achieved through multiple methods, which +will depend upon system architecture and design. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit information system activity." + desc "check", "Verify that the audit log directory has a mode of \"0750\" or less permissive. Determine where the audit logs are stored with the following command: @@ -31,8 +42,8 @@ /var/log/audit/audit.log 600 If the audit log directory has a mode -more permissive than \"0750\", this is a finding. " - desc 'fix', "Configure the audit log directory to have a mode of \"0750\" or less permissive. +more permissive than \"0750\", this is a finding." + desc "fix", "Configure the audit log directory to have a mode of \"0750\" or less permissive. Determine where the audit logs are stored with the following command: @@ -47,16 +58,16 @@ using the following command: $ sudo chmod -R g-w,o-rwx -/var/log/audit " +/var/log/audit" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000059-GPOS-00029 ' - tag gid: 'V-238248 ' - tag rid: 'SV-238248r653919_rule ' - tag stig_id: 'UBTU-20-010128 ' - tag fix_id: 'F-41417r653918_fix ' - tag cci: ['CCI-000164'] - tag nist: ['AU-9 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000059-GPOS-00029 " + tag gid: "V-238248 " + tag rid: "SV-238248r653919_rule " + tag stig_id: "UBTU-20-010128 " + tag fix_id: "F-41417r653918_fix " + tag cci: ["CCI-000164"] + tag nist: ["AU-9 a"] log_file = auditd_conf.log_file @@ -71,4 +82,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index 5f8e7d2..84c002b 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -1,4 +1,4 @@ -control 'SV-238249' do +control "SV-238249" do title "The Ubuntu operating system must be configured so that audit configuration files are not write-accessible by unauthorized users. " desc "Without the capability to restrict which roles and individuals can select which events are @@ -7,8 +7,15 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and -investigate the events relating to an incident or identify those responsible for one. " - desc 'check', "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +investigate the events relating to an incident or identify those responsible for one." + desc "default", "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and +investigate the events relating to an incident or identify those responsible for one." + desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and \"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the following command: @@ -36,21 +43,21 @@ If \"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file -have a mode more permissive than \"0640\", this is a finding. " - desc 'fix', "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +have a mode more permissive than \"0640\", this is a finding." + desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and \"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command: $ -sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " +sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000063-GPOS-00032 ' - tag gid: 'V-238249 ' - tag rid: 'SV-238249r653922_rule ' - tag stig_id: 'UBTU-20-010133 ' - tag fix_id: 'F-41418r653921_fix ' - tag cci: ['CCI-000171'] - tag nist: ['AU-12 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000063-GPOS-00032 " + tag gid: "V-238249 " + tag rid: "SV-238249r653922_rule " + tag stig_id: "UBTU-20-010133 " + tag fix_id: "F-41418r653921_fix " + tag cci: ["CCI-000171"] + tag nist: ["AU-12 b"] files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries @@ -62,4 +69,5 @@ it { should_not be_more_permissive_than('0640') } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index 2487a1d..be019a8 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -1,4 +1,4 @@ -control 'SV-238250' do +control "SV-238250" do title "The Ubuntu operating system must permit only authorized accounts to own the audit configuration files. " desc "Without the capability to restrict which roles and individuals can select which events are @@ -7,8 +7,15 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and -investigate the events relating to an incident or identify those responsible for one. " - desc 'check', "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and +investigate the events relating to an incident or identify those responsible for one." + desc "default", "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and +investigate the events relating to an incident or identify those responsible for one." + desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and \"/etc/audit/auditd.conf\" files are owned by root account by using the following command: @@ -46,21 +53,21 @@ If the \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file -is owned by a user other than \"root\", this is a finding. " - desc 'fix', "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and +is owned by a user other than \"root\", this is a finding." + desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and \"/etc/audit/auditd.conf\" files to be owned by root user by using the following command: $ -sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " +sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000063-GPOS-00032 ' - tag gid: 'V-238250 ' - tag rid: 'SV-238250r653925_rule ' - tag stig_id: 'UBTU-20-010134 ' - tag fix_id: 'F-41419r653924_fix ' - tag cci: ['CCI-000171'] - tag nist: ['AU-12 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000063-GPOS-00032 " + tag gid: "V-238250 " + tag rid: "SV-238250r653925_rule " + tag stig_id: "UBTU-20-010134 " + tag fix_id: "F-41419r653924_fix " + tag cci: ["CCI-000171"] + tag nist: ["AU-12 b"] files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries @@ -72,4 +79,5 @@ its('owner') { should cmp 'root' } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 65e83e5..7880d40 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -1,4 +1,4 @@ -control 'SV-238251' do +control "SV-238251" do title "The Ubuntu operating system must permit only authorized groups to own the audit configuration files. " desc "Without the capability to restrict which roles and individuals can select which events are @@ -7,8 +7,15 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and -investigate the events relating to an incident or identify those responsible for one. " - desc 'check', "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +investigate the events relating to an incident or identify those responsible for one." + desc "default", "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and +investigate the events relating to an incident or identify those responsible for one." + desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and \"/etc/audit/auditd.conf\" files are owned by root group by using the following command: $ @@ -36,21 +43,21 @@ If the \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file -is owned by a group other than \"root\", this is a finding. " - desc 'fix', "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +is owned by a group other than \"root\", this is a finding." + desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and \"/etc/audit/auditd.conf\" files to be owned by root group by using the following command: $ -sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " +sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000063-GPOS-00032 ' - tag gid: 'V-238251 ' - tag rid: 'SV-238251r653928_rule ' - tag stig_id: 'UBTU-20-010135 ' - tag fix_id: 'F-41420r653927_fix ' - tag cci: ['CCI-000171'] - tag nist: ['AU-12 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000063-GPOS-00032 " + tag gid: "V-238251 " + tag rid: "SV-238251r653928_rule " + tag stig_id: "UBTU-20-010135 " + tag fix_id: "F-41420r653927_fix " + tag cci: ["CCI-000171"] + tag nist: ["AU-12 b"] files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries @@ -62,4 +69,5 @@ its('group') { should cmp 'root' } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index c34cfd9..1cc81df 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -1,4 +1,4 @@ -control 'SV-238252' do +control "SV-238252" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"su\" command. Check the configured audit rules with the following @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need -to match the example output above. " - desc 'fix', "Configure the Ubuntu operating system to generate audit records when +to match the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur. Add or update the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238252 ' - tag rid: 'SV-238252r653931_rule ' - tag stig_id: 'UBTU-20-010136 ' - tag fix_id: 'F-41421r653930_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238252 " + tag rid: "SV-238252r653931_rule " + tag stig_id: "UBTU-20-010136 " + tag fix_id: "F-41421r653930_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/bin/su' @@ -72,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index 4fc545f..ddcb939 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -1,4 +1,4 @@ -control 'SV-238253' do +control "SV-238253" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"chfn\" command. Check the configured audit rules with the following @@ -24,8 +31,8 @@ finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"chfn\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238253 ' - tag rid: 'SV-238253r653934_rule ' - tag stig_id: 'UBTU-20-010137 ' - tag fix_id: 'F-41422r653933_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238253 " + tag rid: "SV-238253r653934_rule " + tag stig_id: "UBTU-20-010137 " + tag fix_id: "F-41422r653933_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/chfn' @@ -72,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 24c3b72..0c80bcc 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -1,4 +1,4 @@ -control 'SV-238254' do +control "SV-238254" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"mount\" command. Check the configured audit rules with the following @@ -24,8 +31,8 @@ finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"mount\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238254 ' - tag rid: 'SV-238254r653937_rule ' - tag stig_id: 'UBTU-20-010138 ' - tag fix_id: 'F-41423r653936_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238254 " + tag rid: "SV-238254r653937_rule " + tag stig_id: "UBTU-20-010138 " + tag fix_id: "F-41423r653936_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/mount' @@ -72,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index 179a55c..128eea7 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -1,4 +1,4 @@ -control 'SV-238255' do +control "SV-238255" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify if the Ubuntu operating system generates audit records upon +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify if the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"umount\" command. Check the configured @@ -24,8 +31,8 @@ are commented out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"umount\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238255 ' - tag rid: 'SV-238255r653940_rule ' - tag stig_id: 'UBTU-20-010139 ' - tag fix_id: 'F-41424r653939_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238255 " + tag rid: "SV-238255r653940_rule " + tag stig_id: "UBTU-20-010139 " + tag fix_id: "F-41424r653939_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/umount' @@ -72,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index 0571b41..3584874 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -1,4 +1,4 @@ -control 'SV-238256' do +control "SV-238256" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"ssh-agent\" command. Check the configured audit rules with the @@ -24,8 +31,8 @@ finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-agent\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238256 ' - tag rid: 'SV-238256r653943_rule ' - tag stig_id: 'UBTU-20-010140 ' - tag fix_id: 'F-41425r653942_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238256 " + tag rid: "SV-238256r653943_rule " + tag stig_id: "UBTU-20-010140 " + tag fix_id: "F-41425r653942_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/ssh-agent' @@ -72,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index 6c78192..0bfd1d6 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -1,4 +1,4 @@ -control 'SV-238257' do +control "SV-238257" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"ssh-keysign\" command. Check the configured audit rules with the @@ -24,8 +31,8 @@ commented out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-keysign\" command. Add or update the following rules in the @@ -38,16 +45,16 @@ To reload the rules file, issue the following command: $ sudo augenrules ---load " +--load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238257 ' - tag rid: 'SV-238257r653946_rule ' - tag stig_id: 'UBTU-20-010141 ' - tag fix_id: 'F-41426r653945_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238257 " + tag rid: "SV-238257r653946_rule " + tag stig_id: "UBTU-20-010141 " + tag fix_id: "F-41426r653945_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/lib/openssh/ssh-keysign' @@ -73,4 +80,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index c851a12..0db22d7 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -1,4 +1,4 @@ -control 'SV-238258' do +control "SV-238258" do title "The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -13,10 +13,21 @@ syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into -one rule whenever possible. +one rule whenever possible." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). - " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls. @@ -46,8 +57,8 @@ For 32-bit architectures, only the 32-bit specific output lines from the commands are required. The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls. @@ -72,17 +83,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206) - tag gid: 'V-238258 ' - tag rid: 'SV-238258r808474_rule ' - tag stig_id: 'UBTU-20-010142 ' - tag fix_id: 'F-41427r808473_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000462-GPOS-00206"] + tag gid: "V-238258 " + tag rid: "SV-238258r808474_rule " + tag stig_id: "UBTU-20-010142 " + tag fix_id: "F-41427r808473_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] if os.arch == 'x86_64' describe auditd.syscall('setxattr').where { arch == 'b64' } do @@ -94,4 +105,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index 737f005..9eea681 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -1,4 +1,4 @@ -control 'SV-238264' do +control "SV-238264" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -13,10 +13,21 @@ syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into -one rule whenever possible. +one rule whenever possible." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). - " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. Check the @@ -38,8 +49,8 @@ For 32-bit architectures, only the 32-bit specific output lines from the commands are required. The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. Add or update the following @@ -57,17 +68,17 @@ To reload the rules file, issue the following command: $ sudo -augenrules --load " +augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206) - tag gid: 'V-238264 ' - tag rid: 'SV-238264r808477_rule ' - tag stig_id: 'UBTU-20-010148 ' - tag fix_id: 'F-41433r808476_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000462-GPOS-00206"] + tag gid: "V-238264 " + tag rid: "SV-238264r808477_rule " + tag stig_id: "UBTU-20-010148 " + tag fix_id: "F-41433r808476_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] # FIX @@ -81,4 +92,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index 151198e..8c6c83b 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -1,4 +1,4 @@ -control 'SV-238268' do +control "SV-238268" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -13,10 +13,21 @@ syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into -one rule whenever possible. +one rule whenever possible." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). - " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. Check the configured @@ -38,8 +49,8 @@ architectures, only the 32-bit specific output lines from the commands are required. The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to -match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. Add or update the following rules in @@ -56,17 +67,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206) - tag gid: 'V-238268 ' - tag rid: 'SV-238268r808480_rule ' - tag stig_id: 'UBTU-20-010152 ' - tag fix_id: 'F-41437r808479_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000462-GPOS-00206"] + tag gid: "V-238268 " + tag rid: "SV-238268r808480_rule " + tag stig_id: "UBTU-20-010152 " + tag fix_id: "F-41437r808479_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] # FIX @@ -80,4 +91,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index b7bd30f..b3adcfc 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -1,4 +1,4 @@ -control 'SV-238271' do +control "SV-238271" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -13,10 +13,21 @@ syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into -one rule whenever possible. +one rule whenever possible." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). - " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible." + desc "check", "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to use the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. @@ -47,8 +58,8 @@ 32-bit specific output lines from the commands are required. The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output -above. " - desc 'fix', "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", +above." + desc "fix", "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. Add @@ -73,17 +84,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219) - tag gid: 'V-238271 ' - tag rid: 'SV-238271r808483_rule ' - tag stig_id: 'UBTU-20-010155 ' - tag fix_id: 'F-41440r808482_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000474-GPOS-00219"] + tag gid: "V-238271 " + tag rid: "SV-238271r808483_rule " + tag stig_id: "UBTU-20-010155 " + tag fix_id: "F-41440r808482_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] # FIX @@ -109,4 +120,5 @@ its('list.uniq') { should eq ['exit'] } its('exit.uniq') { should include '-EACCES' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index dc8e9d3..a5ec574 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -1,4 +1,4 @@ -control 'SV-238277' do +control "SV-238277" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" command. Check the configured audit rules with the following command: @@ -23,8 +30,8 @@ line is commented out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"sudo\" command. Add or update the following rules in the @@ -36,16 +43,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238277 ' - tag rid: 'SV-238277r654006_rule ' - tag stig_id: 'UBTU-20-010161 ' - tag fix_id: 'F-41446r654005_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238277 " + tag rid: "SV-238277r654006_rule " + tag stig_id: "UBTU-20-010161 " + tag fix_id: "F-41446r654005_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/sudo' @@ -69,4 +76,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 7127de7..50c9486 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -1,4 +1,4 @@ -control 'SV-238278' do +control "SV-238278" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"sudoedit\" command. Check the configured audit rules with the @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"sudoedit\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238278 ' - tag rid: 'SV-238278r654009_rule ' - tag stig_id: 'UBTU-20-010162 ' - tag fix_id: 'F-41447r654008_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238278 " + tag rid: "SV-238278r654009_rule " + tag stig_id: "UBTU-20-010162 " + tag fix_id: "F-41447r654008_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/sudoedit' @@ -71,4 +78,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index 2267b90..5429112 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -1,4 +1,4 @@ -control 'SV-238279' do +control "SV-238279" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chsh\" command. Check the configured audit rules with the following @@ -24,8 +31,8 @@ Notes: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chsh\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238279 ' - tag rid: 'SV-238279r654012_rule ' - tag stig_id: 'UBTU-20-010163 ' - tag fix_id: 'F-41448r654011_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238279 " + tag rid: "SV-238279r654012_rule " + tag stig_id: "UBTU-20-010163 " + tag fix_id: "F-41448r654011_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/chsh' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index 9c63fce..42ab3a7 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -1,4 +1,4 @@ -control 'SV-238280' do +control "SV-238280" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"newgrp\" command. Check the configured audit rules with the following @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"newgrp\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238280 ' - tag rid: 'SV-238280r654015_rule ' - tag stig_id: 'UBTU-20-010164 ' - tag fix_id: 'F-41449r654014_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238280 " + tag rid: "SV-238280r654015_rule " + tag stig_id: "UBTU-20-010164 " + tag fix_id: "F-41449r654014_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/newgrp' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index acdfc9f..b2532fa 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -1,4 +1,4 @@ -control 'SV-238281' do +control "SV-238281" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chcon\" command. Check the currently configured audit rules with the @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chcon\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238281 ' - tag rid: 'SV-238281r654018_rule ' - tag stig_id: 'UBTU-20-010165 ' - tag fix_id: 'F-41450r654017_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238281 " + tag rid: "SV-238281r654018_rule " + tag stig_id: "UBTU-20-010165 " + tag fix_id: "F-41450r654017_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/chcon' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 6fcb11e..499889c 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -1,4 +1,4 @@ -control 'SV-238282' do +control "SV-238282" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"apparmor_parser\" command. Check the currently configured audit @@ -24,8 +31,8 @@ commented out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"apparmor_parser\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238282 ' - tag rid: 'SV-238282r654021_rule ' - tag stig_id: 'UBTU-20-010166 ' - tag fix_id: 'F-41451r654020_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238282 " + tag rid: "SV-238282r654021_rule " + tag stig_id: "UBTU-20-010166 " + tag fix_id: "F-41451r654020_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/sbin/apparmor_parser' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index abdfb08..95509e1 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -1,4 +1,4 @@ -control 'SV-238283' do +control "SV-238283" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"setfacl\" command. Check the currently configured audit rules with the @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"setfacl\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238283 ' - tag rid: 'SV-238283r654024_rule ' - tag stig_id: 'UBTU-20-010167 ' - tag fix_id: 'F-41452r654023_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238283 " + tag rid: "SV-238283r654024_rule " + tag stig_id: "UBTU-20-010167 " + tag fix_id: "F-41452r654023_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/setfacl' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 70e3edd..99cb9f3 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -1,4 +1,4 @@ -control 'SV-238284' do +control "SV-238284" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chacl\" command. Check the currently configured audit rules with the @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chacl\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238284 ' - tag rid: 'SV-238284r654027_rule ' - tag stig_id: 'UBTU-20-010168 ' - tag fix_id: 'F-41453r654026_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238284 " + tag rid: "SV-238284r654027_rule " + tag stig_id: "UBTU-20-010168 " + tag fix_id: "F-41453r654026_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/chacl' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index d721e70..cfc3a74 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -1,4 +1,4 @@ -control 'SV-238285' do +control "SV-238285" do title "The Ubuntu operating system must generate audit records for the use and modification of the tallylog file. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,10 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. - " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful modifications to the \"tallylog\" file. Check the currently configured audit rules with the @@ -25,8 +30,8 @@ out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and -the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful +the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the \"tallylog\" file. Add or update the following rules in the @@ -37,17 +42,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218) - tag gid: 'V-238285 ' - tag rid: 'SV-238285r654030_rule ' - tag stig_id: 'UBTU-20-010169 ' - tag fix_id: 'F-41454r654029_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218"] + tag gid: "V-238285 " + tag rid: "SV-238285r654030_rule " + tag stig_id: "UBTU-20-010169 " + tag fix_id: "F-41454r654029_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/var/log/tallylog' @@ -72,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index 81c511a..fbf6800 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -1,4 +1,4 @@ -control 'SV-238286' do +control "SV-238286" do title "The Ubuntu operating system must generate audit records for the use and modification of faillog file. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,10 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. - " - desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful modifications to the \"faillog\" file. Check the currently configured audit rules with the @@ -25,8 +30,8 @@ this is a finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful +string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the \"faillog\" file. Add or update the following rules in the @@ -37,17 +42,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218) - tag gid: 'V-238286 ' - tag rid: 'SV-238286r654033_rule ' - tag stig_id: 'UBTU-20-010170 ' - tag fix_id: 'F-41455r654032_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218"] + tag gid: "V-238286 " + tag rid: "SV-238286r654033_rule " + tag stig_id: "UBTU-20-010170 " + tag fix_id: "F-41455r654032_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/var/log/faillog' @@ -72,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index f959caf..6ae99b4 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -1,4 +1,4 @@ -control 'SV-238287' do +control "SV-238287" do title "The Ubuntu operating system must generate audit records for the use and modification of the lastlog file. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,10 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. - " - desc 'check', "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the \"lastlog\" file occur. Check the currently configured audit rules @@ -25,8 +30,8 @@ out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and -the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful +the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the \"lastlog\" file. Add or update the following rules in the @@ -37,17 +42,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218) - tag gid: 'V-238287 ' - tag rid: 'SV-238287r654036_rule ' - tag stig_id: 'UBTU-20-010171 ' - tag fix_id: 'F-41456r654035_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218"] + tag gid: "V-238287 " + tag rid: "SV-238287r654036_rule " + tag stig_id: "UBTU-20-010171 " + tag fix_id: "F-41456r654035_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/var/log/lastlog' @@ -72,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index 6f8fddd..8d5fbc8 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -1,4 +1,4 @@ -control 'SV-238288' do +control "SV-238288" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" command. Check the currently configured audit rules with the following command: @@ -24,8 +31,8 @@ Note: The \"key\" allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"passwd\" command. Add or update the following rule in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238288 ' - tag rid: 'SV-238288r833012_rule ' - tag stig_id: 'UBTU-20-010172 ' - tag fix_id: 'F-41457r832949_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238288 " + tag rid: "SV-238288r833012_rule " + tag stig_id: "UBTU-20-010172 " + tag fix_id: "F-41457r832949_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/passwd' @@ -71,4 +78,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index ffd8905..52d6204 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -1,4 +1,4 @@ -control 'SV-238289' do +control "SV-238289" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"unix_update\" command. Check the currently configured audit rules with the following @@ -24,8 +31,8 @@ this is a finding. Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"unix_update\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238289 ' - tag rid: 'SV-238289r654042_rule ' - tag stig_id: 'UBTU-20-010173 ' - tag fix_id: 'F-41458r654041_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238289 " + tag rid: "SV-238289r654042_rule " + tag stig_id: "UBTU-20-010173 " + tag fix_id: "F-41458r654041_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/sbin/unix_update' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index f9fdf7c..292b947 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -1,4 +1,4 @@ -control 'SV-238290' do +control "SV-238290" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" command. Check the currently configured audit rules with the following command: @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"gpasswd\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238290 ' - tag rid: 'SV-238290r654045_rule ' - tag stig_id: 'UBTU-20-010174 ' - tag fix_id: 'F-41459r654044_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238290 " + tag rid: "SV-238290r654045_rule " + tag stig_id: "UBTU-20-010174 " + tag fix_id: "F-41459r654044_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/gpasswd' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index 8803ac1..9dc2155 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -1,4 +1,4 @@ -control 'SV-238291' do +control "SV-238291" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" command. Check the currently configured audit rules with the following command: @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"chage\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238291 ' - tag rid: 'SV-238291r654048_rule ' - tag stig_id: 'UBTU-20-010175 ' - tag fix_id: 'F-41460r654047_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238291 " + tag rid: "SV-238291r654048_rule " + tag stig_id: "UBTU-20-010175 " + tag fix_id: "F-41460r654047_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/chage' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index 017922a..21062bf 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -1,4 +1,4 @@ -control 'SV-238292' do +control "SV-238292" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" command. Check the currently configured audit rules with the following command: @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"usermod\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238292 ' - tag rid: 'SV-238292r654051_rule ' - tag stig_id: 'UBTU-20-010176 ' - tag fix_id: 'F-41461r654050_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238292 " + tag rid: "SV-238292r654051_rule " + tag stig_id: "UBTU-20-010176 " + tag fix_id: "F-41461r654050_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/sbin/usermod' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index d94acdc..549dade 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -1,4 +1,4 @@ -control 'SV-238293' do +control "SV-238293" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" command. Check the currently configured audit rules with the following command: @@ -24,8 +31,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"crontab\" command. Add or update the following rules in the @@ -37,16 +44,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238293 ' - tag rid: 'SV-238293r654054_rule ' - tag stig_id: 'UBTU-20-010177 ' - tag fix_id: 'F-41462r654053_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238293 " + tag rid: "SV-238293r654054_rule " + tag stig_id: "UBTU-20-010177 " + tag fix_id: "F-41462r654053_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/bin/crontab' @@ -70,4 +77,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index 53116a8..c794420 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -1,4 +1,4 @@ -control 'SV-238294' do +control "SV-238294" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"pam_timestamp_check\" command. Check the currently configured audit rules with the @@ -25,8 +32,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output -above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"pam_timestamp_check\" command. Add or update the following rules in the @@ -39,16 +46,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag gid: 'V-238294 ' - tag rid: 'SV-238294r654057_rule ' - tag stig_id: 'UBTU-20-010178 ' - tag fix_id: 'F-41463r654056_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238294 " + tag rid: "SV-238294r654057_rule " + tag stig_id: "UBTU-20-010178 " + tag fix_id: "F-41463r654056_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/usr/sbin/pam_timestamp_check' @@ -72,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index 657cf1f..e71aca6 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -1,4 +1,4 @@ -control 'SV-238295' do +control "SV-238295" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module and finit_module syscalls. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -13,10 +13,21 @@ syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into -one rule whenever possible. +one rule whenever possible." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). - " - desc 'check', "Verify the Ubuntu operating system generates an audit record for any +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible." + desc "check", "Verify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls. @@ -38,8 +49,8 @@ For 32-bit architectures, only the 32-bit specific output lines from the commands are required. The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" syscalls. Add or update the following rules in the @@ -57,17 +68,17 @@ To reload the rules file, issue the following command: $ -sudo augenrules --load " +sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216) - tag gid: 'V-238295 ' - tag rid: 'SV-238295r808486_rule ' - tag stig_id: 'UBTU-20-010179 ' - tag fix_id: 'F-41464r808485_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000471-GPOS-00216"] + tag gid: "V-238295 " + tag rid: "SV-238295r808486_rule " + tag stig_id: "UBTU-20-010179 " + tag fix_id: "F-41464r808485_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] if os.arch == 'x86_64' describe auditd.syscall('init_module').where { arch == 'b64' } do @@ -79,4 +90,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index 53a6e24..f027da9 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -1,4 +1,4 @@ -control 'SV-238297' do +control "SV-238297" do title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the delete_module syscall. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,10 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. - " - desc 'check', "Verify the Ubuntu operating system generates an audit record for any +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the \"delete_module\" syscall. Check the @@ -31,8 +36,8 @@ - For 32-bit architectures, only the 32-bit specific output lines from the commands are required. - The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"delete_module\" syscall. Add or update the following rules in the @@ -49,17 +54,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000064-GPOS-00033 ' - tag satisfies: ['SRG-OS-000477-GPOS-00222'] - tag gid: 'V-238297 ' - tag rid: 'SV-238297r802387_rule ' - tag stig_id: 'UBTU-20-010181 ' - tag fix_id: 'F-41466r654065_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000477-GPOS-00222"] + tag gid: "V-238297 " + tag rid: "SV-238297r802387_rule " + tag stig_id: "UBTU-20-010181 " + tag fix_id: "F-41466r654065_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] if os.arch == 'x86_64' describe auditd.syscall('delete_module').where { arch == 'b64' } do @@ -71,4 +76,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 209b159..3595bd4 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -1,4 +1,4 @@ -control 'SV-238298' do +control "SV-238298" do title "The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time. " @@ -27,10 +27,34 @@ Associating event types with detected events in the Ubuntu operating system audit logs provides a means of investigating an attack; recognizing resource utilization or -capacity thresholds; or identifying an improperly configured operating system. +capacity thresholds; or identifying an improperly configured operating system." + desc "default", "Without establishing the when, where, type, source, and outcome of events that occurred, it +would be difficult to establish, correlate, and investigate the events leading up to an +outage or attack. + +Without the capability to generate audit records, it would be difficult +to establish, correlate, and investigate the events relating to an incident or identify +those responsible for one. + +Audit record content that may be necessary to satisfy this +requirement includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, filenames +involved, and access control or flow control rules invoked. + +Reconstruction of harmful +events or forensic analysis is not possible if audit records do not contain enough +information. + +Successful incident response and auditing relies on timely, accurate +system information and analysis in order to allow the organization to identify and respond to +potential incidents in a proficient manner. If the operating system does not provide the +ability to centrally review the operating system logs, forensic analysis is negatively +impacted. - " - desc 'check', "Verify the audit service is configured to produce audit records with the following command: +Associating event types with detected events in the Ubuntu operating system +audit logs provides a means of investigating an attack; recognizing resource utilization or +capacity thresholds; or identifying an improperly configured operating system." + desc "check", "Verify the audit service is configured to produce audit records with the following command: $ dpkg -l | grep auditd @@ -53,8 +77,8 @@ active If the command above returns \"inactive\", -this is a finding. " - desc 'fix', "Configure the audit service to produce audit records containing the information needed to +this is a finding." + desc "fix", "Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit @@ -71,17 +95,17 @@ To reload the rules file, issue the following command: $ sudo augenrules ---load " +--load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000122-GPOS-00063 ' - tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220) - tag gid: 'V-238298 ' - tag rid: 'SV-238298r853421_rule ' - tag stig_id: 'UBTU-20-010182 ' - tag fix_id: 'F-41467r654068_fix ' - tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914) - tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000122-GPOS-00063 " + tag satisfies: ["SRG-OS-000122-GPOS-00063", "SRG-OS-000037-GPOS-00015", "SRG-OS-000038-GPOS-00016", "SRG-OS-000039-GPOS-00017", "SRG-OS-000040-GPOS-00018", "SRG-OS-000041-GPOS-00019", "SRG-OS-000042-GPOS-00020", "SRG-OS-000042-GPOS-00021", "SRG-OS-000051-GPOS-00024", "SRG-OS-000054-GPOS-00025", "SRG-OS-000062-GPOS-00031", "SRG-OS-000337-GPOS-00129", "SRG-OS-000348-GPOS-00136", "SRG-OS-000349-GPOS-00137", "SRG-OS-000350-GPOS-00138", "SRG-OS-000351-GPOS-00139", "SRG-OS-000352-GPOS-00140", "SRG-OS-000353-GPOS-00141", "SRG-OS-000354-GPOS-00142", "SRG-OS-000475-GPOS-00220"] + tag gid: "V-238298 " + tag rid: "SV-238298r853421_rule " + tag stig_id: "UBTU-20-010182 " + tag fix_id: "F-41467r654068_fix " + tag cci: ["CCI-000130", "CCI-000131", "CCI-000132", "CCI-000133", "CCI-000134", "CCI-000135", "CCI-000154", "CCI-000158", "CCI-000169", "CCI-000172", "CCI-001875", "CCI-001876", "CCI-001877", "CCI-001878", "CCI-001879", "CCI-001880", "CCI-001881", "CCI-001882", "CCI-001914"] + tag nist: ["AU-3 a", "AU-3 b", "AU-3 c", "AU-3 d", "AU-3 e", "AU-3 (1)", "AU-6 (4)", "AU-7 (1)", "AU-12 a", "AU-12 c", "AU-7 a", "AU-7 b", "AU-12 (3)"] describe package('auditd') do it { should be_installed } @@ -91,4 +115,5 @@ it { should be_enabled } it { should be_running } end -end + +end \ No newline at end of file diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb index f990ba3..ee92a56 100644 --- a/controls/SV-238299.rb +++ b/controls/SV-238299.rb @@ -1,9 +1,12 @@ -control 'SV-238299' do - title 'The Ubuntu operating system must initiate session audits at system start-up. ' +control "SV-238299" do + title "The Ubuntu operating system must initiate session audits at system start-up. " desc "If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if -auditing is enabled before a given process is created. " - desc 'check', "Verify that the Ubuntu operating system enables auditing at system startup. +auditing is enabled before a given process is created." + desc "default", "If auditing is enabled late in the start-up process, the actions of some start-up processes +may not be audited. Some audit systems also maintain state information only available if +auditing is enabled before a given process is created." + desc "check", "Verify that the Ubuntu operating system enables auditing at system startup. Verify that the auditing is enabled in grub with the following command: @@ -17,8 +20,8 @@ /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro recovery nomodeset audit=1 -If any linux lines do not contain \"audit=1\", this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to produce audit records at system startup. +If any linux lines do not contain \"audit=1\", this is a finding." + desc "fix", "Configure the Ubuntu operating system to produce audit records at system startup. Edit the \"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option. @@ -26,16 +29,16 @@ To update the grub config file, run: -$ sudo update-grub " +$ sudo update-grub" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000254-GPOS-00095 ' - tag gid: 'V-238299 ' - tag rid: 'SV-238299r654072_rule ' - tag stig_id: 'UBTU-20-010198 ' - tag fix_id: 'F-41468r654071_fix ' - tag cci: ['CCI-001464'] - tag nist: ['AU-14 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000254-GPOS-00095 " + tag gid: "V-238299 " + tag rid: "SV-238299r654072_rule " + tag stig_id: "UBTU-20-010198 " + tag fix_id: "F-41468r654071_fix " + tag cci: ["CCI-001464"] + tag nist: ["AU-14 (1)"] grub_entries = command('grep "^\s*linux" /boot/grub/grub.cfg').stdout.strip.split("\n").entries @@ -44,4 +47,5 @@ it { should include 'audit=1' } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index 8920fe2..ddc497f 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -1,5 +1,5 @@ -control 'SV-238300' do - title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ' +control "SV-238300" do + title "The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. " desc "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -12,10 +12,21 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and -report generators. +report generators." + desc "default", "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. - " - desc 'check', "Verify the Ubuntu operating system configures the audit tools to have a file permission of +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators." + desc "check", "Verify the Ubuntu operating system configures the audit tools to have a file permission of 0755 or less to prevent unauthorized access by running the following command: $ stat -c \"%n @@ -33,25 +44,25 @@ /sbin/augenrules 755 If any of the audit tools have a mode more permissive than 0755, this -is a finding. " - desc 'fix', "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +is a finding." + desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 0755 [audit_tool] Replace \"[audit_tool]\" with the audit tool that does not have the -correct permissions. " +correct permissions." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000256-GPOS-00097 ' - tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098) - tag gid: 'V-238300 ' - tag rid: 'SV-238300r654075_rule ' - tag stig_id: 'UBTU-20-010199 ' - tag fix_id: 'F-41469r654074_fix ' - tag cci: %w(CCI-001493 CCI-001494) - tag nist: ['AU-9 a', 'AU-9'] + tag severity: "medium " + tag gtitle: "SRG-OS-000256-GPOS-00097 " + tag satisfies: ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"] + tag gid: "V-238300 " + tag rid: "SV-238300r654075_rule " + tag stig_id: "UBTU-20-010199 " + tag fix_id: "F-41469r654074_fix " + tag cci: ["CCI-001493", "CCI-001494"] + tag nist: ["AU-9 a", "AU-9"] audit_tools = input('audit_tools') @@ -60,4 +71,5 @@ it { should_not be_more_permissive_than('0755') } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index a7ea0dd..b19ff7a 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -1,5 +1,5 @@ -control 'SV-238301' do - title 'The Ubuntu operating system must configure audit tools to be owned by root. ' +control "SV-238301" do + title "The Ubuntu operating system must configure audit tools to be owned by root. " desc "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -12,10 +12,21 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and -report generators. +report generators." + desc "default", "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. - " - desc 'check', "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators." + desc "check", "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent any unauthorized access. Check the ownership by running the following command: @@ -34,24 +45,24 @@ /sbin/augenrules root -If any of the audit tools are not owned by root, this is a finding. " - desc 'fix', "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +If any of the audit tools are not owned by root, this is a finding." + desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the file owner as root using the following command: $ sudo chown root [audit_tool] -Replace \"[audit_tool]\" with each audit tool not owned by root. " +Replace \"[audit_tool]\" with each audit tool not owned by root." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000256-GPOS-00097 ' - tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098) - tag gid: 'V-238301 ' - tag rid: 'SV-238301r654078_rule ' - tag stig_id: 'UBTU-20-010200 ' - tag fix_id: 'F-41470r654077_fix ' - tag cci: %w(CCI-001493 CCI-001494) - tag nist: ['AU-9 a', 'AU-9'] + tag severity: "medium " + tag gtitle: "SRG-OS-000256-GPOS-00097 " + tag satisfies: ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"] + tag gid: "V-238301 " + tag rid: "SV-238301r654078_rule " + tag stig_id: "UBTU-20-010200 " + tag fix_id: "F-41470r654077_fix " + tag cci: ["CCI-001493", "CCI-001494"] + tag nist: ["AU-9 a", "AU-9"] audit_tools = input('audit_tools') @@ -60,4 +71,5 @@ its('owner') { should cmp 'root' } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index ece1177..dbd1043 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -1,5 +1,5 @@ -control 'SV-238302' do - title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. ' +control "SV-238302" do + title "The Ubuntu operating system must configure the audit tools to be group-owned by root. " desc "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -12,10 +12,21 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and -report generators. +report generators." + desc "default", "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. - " - desc 'check', "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators." + desc "check", "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to prevent any unauthorized access. Check the group ownership by running the following @@ -35,24 +46,24 @@ /sbin/augenrules root If any of the audit tools are not group-owned by root, this is a -finding. " - desc 'fix', "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +finding." + desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the file group as root using the following command: $ sudo chown :root [audit_tool] -Replace \"[audit_tool]\" with each audit tool not group-owned by root. " +Replace \"[audit_tool]\" with each audit tool not group-owned by root." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000256-GPOS-00097 ' - tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098) - tag gid: 'V-238302 ' - tag rid: 'SV-238302r654081_rule ' - tag stig_id: 'UBTU-20-010201 ' - tag fix_id: 'F-41471r654080_fix ' - tag cci: %w(CCI-001493 CCI-001494) - tag nist: ['AU-9 a', 'AU-9'] + tag severity: "medium " + tag gtitle: "SRG-OS-000256-GPOS-00097 " + tag satisfies: ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"] + tag gid: "V-238302 " + tag rid: "SV-238302r654081_rule " + tag stig_id: "UBTU-20-010201 " + tag fix_id: "F-41471r654080_fix " + tag cci: ["CCI-001493", "CCI-001494"] + tag nist: ["AU-9 a", "AU-9"] audit_tools = input('audit_tools') @@ -61,4 +72,5 @@ its('group') { should cmp 'root' } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index 309e0e2..771b6c6 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -1,4 +1,4 @@ -control 'SV-238303' do +control "SV-238303" do title "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools. " desc "Protecting the integrity of the tools used for auditing purposes is a critical step toward @@ -18,8 +18,26 @@ To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or -files. " - desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use +files." + desc "default", "Protecting the integrity of the tools used for auditing purposes is a critical step toward +ensuring the integrity of audit information. Audit information includes all information +(e.g., audit records, audit settings, and audit reports) needed to successfully audit +information system activity. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. + +It is not uncommon for attackers to replace the audit tools or inject +code into the existing tools with the purpose of providing the capability to hide or erase +system activity from the audit logs. + +To address this risk, audit tools must be +cryptographically signed in order to provide the capability to identify when the audit tools +have been modified, manipulated, or replaced. An example is a checksum hash of the file or +files." + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. Check the selection @@ -42,8 +60,8 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 If any of the seven audit tools do not have appropriate -selection lines, this is a finding. " - desc 'fix', "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the +selection lines, this is a finding." + desc "fix", "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the integrity of the audit tools: # Audit Tools @@ -58,16 +76,16 @@ /sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules -p+i+n+u+g+s+b+acl+xattrs+sha512 " +p+i+n+u+g+s+b+acl+xattrs+sha512" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000278-GPOS-00108 ' - tag gid: 'V-238303 ' - tag rid: 'SV-238303r654084_rule ' - tag stig_id: 'UBTU-20-010205 ' - tag fix_id: 'F-41472r654083_fix ' - tag cci: ['CCI-001496'] - tag nist: ['AU-9 (3)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000278-GPOS-00108 " + tag gid: "V-238303 " + tag rid: "SV-238303r654084_rule " + tag stig_id: "UBTU-20-010205 " + tag fix_id: "F-41472r654083_fix " + tag cci: ["CCI-001496"] + tag nist: ["AU-9 (3)"] aide_conf = aide_conf input('aide_conf_path') @@ -107,4 +125,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 15173b7..5490024 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -1,4 +1,4 @@ -control 'SV-238304' do +control "SV-238304" do title "The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions. " @@ -10,10 +10,17 @@ Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the -organization-defined software list after review. +organization-defined software list after review." + desc "default", "In certain situations, software applications/programs need to execute with elevated +privileges to perform required functions. However, if the privileges required for +execution are at a higher level than the privileges assigned to organizational users +invoking such applications/programs, those users are indirectly provided with greater +privileges than assigned by the organizations. - " - desc 'check', "Verify the Ubuntu operating system audits the execution of privilege functions by auditing +Some programs and processes are required +to operate at a higher privilege level and therefore should be excluded from the +organization-defined software list after review." + desc "check", "Verify the Ubuntu operating system audits the execution of privilege functions by auditing the \"execve\" system call. Check the currently configured audit rules with the following @@ -37,8 +44,8 @@ - For 32-bit architectures, only the 32-bit specific output lines from the commands are required. - The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the Ubuntu operating system to audit the execution of all privileged functions. +identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the Ubuntu operating system to audit the execution of all privileged functions. Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: @@ -58,17 +65,17 @@ To reload the rules file, issue the following command: $ -sudo augenrules --load " +sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000326-GPOS-00126 ' - tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127) - tag gid: 'V-238304 ' - tag rid: 'SV-238304r853422_rule ' - tag stig_id: 'UBTU-20-010211 ' - tag fix_id: 'F-41473r654086_fix ' - tag cci: %w(CCI-002233 CCI-002234) - tag nist: ['AC-6 (8)', 'AC-6 (9)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000326-GPOS-00126 " + tag satisfies: ["SRG-OS-000326-GPOS-00126", "SRG-OS-000327-GPOS-00127"] + tag gid: "V-238304 " + tag rid: "SV-238304r853422_rule " + tag stig_id: "UBTU-20-010211 " + tag fix_id: "F-41473r654086_fix " + tag cci: ["CCI-002233", "CCI-002234"] + tag nist: ["AC-6 (8)", "AC-6 (9)"] if os.arch == 'x86_64' describe auditd.syscall('execve').where { arch == 'b64' } do @@ -80,4 +87,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index 5e35e49..f07ea80 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -1,4 +1,4 @@ -control 'SV-238305' do +control "SV-238305" do title "The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. " @@ -7,8 +7,14 @@ The task of allocating audit record storage capacity is usually performed during initial -installation of the operating system. " - desc 'check', "Verify the Ubuntu operating system allocates audit record storage capacity to store at least +installation of the operating system." + desc "default", "In order to ensure operating systems have a sufficient storage capacity in which to write the +audit logs, operating systems need to be able to allocate audit record storage capacity. + + +The task of allocating audit record storage capacity is usually performed during initial +installation of the operating system." + desc "check", "Verify the Ubuntu operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. @@ -41,8 +47,8 @@ If the audit record partition is not allocated for sufficient storage capacity, this is a -finding. " - desc 'fix', "Allocate enough storage capacity for at least one week's worth of audit records when audit +finding." + desc "fix", "Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. If audit @@ -61,16 +67,16 @@ /etc/audit/auditd.conf where <log mountpoint> is the aforementioned mount -point. " +point." impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000341-GPOS-00132 ' - tag gid: 'V-238305 ' - tag rid: 'SV-238305r853423_rule ' - tag stig_id: 'UBTU-20-010215 ' - tag fix_id: 'F-41474r654089_fix ' - tag cci: ['CCI-001849'] - tag nist: ['AU-4'] + tag severity: "low " + tag gtitle: "SRG-OS-000341-GPOS-00132 " + tag gid: "V-238305 " + tag rid: "SV-238305r853423_rule " + tag stig_id: "UBTU-20-010215 " + tag fix_id: "F-41474r654089_fix " + tag cci: ["CCI-001849"] + tag nist: ["AU-4"] log_file = auditd_conf.log_file log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? @@ -94,4 +100,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 9d8c697..243130f 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -1,14 +1,17 @@ -control 'SV-238306' do +control "SV-238306" do title "The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited. " desc "Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit -storage capacity. +storage capacity." + desc "default", "Information stored in one location is vulnerable to accidental or incidental deletion or +alteration. - " - desc 'check', "Verify the audit event multiplexor is configured to offload audit records to a different +Off-loading is a common process in information systems with limited audit +storage capacity." + desc "check", "Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited. Check that audisp-remote plugin is @@ -39,8 +42,8 @@ If the \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid -address, this is a finding. " - desc 'fix', "Configure the audit event multiplexor to offload audit records to a different system or +address, this is a finding." + desc "fix", "Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited. Install the audisp-remote plugin: @@ -67,17 +70,17 @@ Make the audit service reload its configuration files: -$ sudo systemctl restart auditd.service " +$ sudo systemctl restart auditd.service" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000342-GPOS-00133 ' - tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224) - tag gid: 'V-238306 ' - tag rid: 'SV-238306r853424_rule ' - tag stig_id: 'UBTU-20-010216 ' - tag fix_id: 'F-41475r654092_fix ' - tag cci: ['CCI-001851'] - tag nist: ['AU-4 (1)'] + tag severity: "low " + tag gtitle: "SRG-OS-000342-GPOS-00133 " + tag satisfies: ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag gid: "V-238306 " + tag rid: "SV-238306r853424_rule " + tag stig_id: "UBTU-20-010216 " + tag fix_id: "F-41475r654092_fix " + tag cci: ["CCI-001851"] + tag nist: ["AU-4 (1)"] config_file = input('audispremote_config_file') config_file_exists = file(config_file).exist? @@ -98,4 +101,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 2c4fd1d..4382fe6 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -1,10 +1,12 @@ -control 'SV-238307' do +control "SV-238307" do title "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. " desc "If security personnel are not notified immediately when storage volume reaches 75% -utilization, they are unable to plan for audit record storage capacity expansion. " - desc 'check', "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated +utilization, they are unable to plan for audit record storage capacity expansion." + desc "default", "If security personnel are not notified immediately when storage volume reaches 75% +utilization, they are unable to plan for audit record storage capacity expansion." + desc "check", "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following command: @@ -47,8 +49,8 @@ Note: If the email address of the System Administrator is on a remote system, a -mail package must be available. " - desc 'fix', "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or +mail package must be available." + desc "fix", "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or \"email\". If the \"space_left_action\" parameter is set to \"email\", set the @@ -59,16 +61,16 @@ the SA and ISSO. Edit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at -least 25% of the repository maximum audit record storage capacity. " +least 25% of the repository maximum audit record storage capacity." impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000343-GPOS-00134 ' - tag gid: 'V-238307 ' - tag rid: 'SV-238307r853425_rule ' - tag stig_id: 'UBTU-20-010217 ' - tag fix_id: 'F-41476r654095_fix ' - tag cci: ['CCI-001855'] - tag nist: ['AU-5 (1)'] + tag severity: "low " + tag gtitle: "SRG-OS-000343-GPOS-00134 " + tag gid: "V-238307 " + tag rid: "SV-238307r853425_rule " + tag stig_id: "UBTU-20-010217 " + tag fix_id: "F-41476r654095_fix " + tag cci: ["CCI-001855"] + tag nist: ["AU-5 (1)"] log_file = auditd_conf.log_file log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? @@ -98,4 +100,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb index 7a3aaf4..704fe77 100644 --- a/controls/SV-238308.rb +++ b/controls/SV-238308.rb @@ -1,4 +1,4 @@ -control 'SV-238308' do +control "SV-238308" do title "The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). " desc "If time stamps are not consistently applied and there is no common time reference, it is @@ -6,32 +6,39 @@ Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a -modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. " - desc 'check', "To verify the time zone is configured to use UTC or GMT, run the following command. +modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC." + desc "default", "If time stamps are not consistently applied and there is no common time reference, it is +difficult to perform forensic analysis. + +Time stamps generated by the operating system +include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a +modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC." + desc "check", "To verify the time zone is configured to use UTC or GMT, run the following command. $ timedatectl status | grep -i \"time zone\" Timezone: UTC (UTC, +0000) If \"Timezone\" is not -set to UTC or GMT, this is a finding. " - desc 'fix', "To configure the system time zone to use UTC or GMT, run the following command, replacing +set to UTC or GMT, this is a finding." + desc "fix", "To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with UTC or GMT: -$ sudo timedatectl set-timezone [ZONE] " +$ sudo timedatectl set-timezone [ZONE]" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000359-GPOS-00146 ' - tag gid: 'V-238308 ' - tag rid: 'SV-238308r853426_rule ' - tag stig_id: 'UBTU-20-010230 ' - tag fix_id: 'F-41477r654098_fix ' - tag cci: ['CCI-001890'] - tag nist: ['AU-8 b'] + tag severity: "low " + tag gtitle: "SRG-OS-000359-GPOS-00146 " + tag gid: "V-238308 " + tag rid: "SV-238308r853426_rule " + tag stig_id: "UBTU-20-010230 " + tag fix_id: "F-41477r654098_fix " + tag cci: ["CCI-001890"] + tag nist: ["AU-8 b"] time_zone = command('timedatectl status | grep -i "time zone"').stdout.strip describe time_zone do it { should match 'UTC' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index d99bd4b..10e97b7 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -1,4 +1,4 @@ -control 'SV-238309' do +control "SV-238309" do title "The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. " desc "If events associated with nonlocal administrative access or diagnostic sessions are not @@ -20,10 +20,28 @@ requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of -an Ethernet switch. +an Ethernet switch." + desc "default", "If events associated with nonlocal administrative access or diagnostic sessions are not +logged, a major tool for assessing and investigating attacks would not be available. + +This +requirement addresses auditing-related issues associated with maintenance tools used +specifically for diagnostic and repair actions on organizational information systems. + + +Nonlocal maintenance and diagnostic activities are those activities conducted by +individuals communicating through a network, either an external network (e.g., the +internet) or an internal network. Local maintenance and diagnostic activities are those +activities carried out by individuals physically present at the information system or +information system component and not communicating across a network connection. - " - desc 'check', "Verify the Ubuntu operating system audits activities performed during nonlocal +This +requirement applies to hardware/software diagnostic test equipment or tools. This +requirement does not cover hardware/software components that may support information +system maintenance, yet are a part of the system, for example, the software implementing +\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of +an Ethernet switch." + desc "check", "Verify the Ubuntu operating system audits activities performed during nonlocal maintenance and diagnostic sessions. Check the currently configured audit rules with the @@ -38,8 +56,8 @@ commented out, this is a finding. Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the Ubuntu operating system to audit activities performed during nonlocal +identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the Ubuntu operating system to audit activities performed during nonlocal maintenance and diagnostic sessions. Add or update the following rules in the @@ -50,17 +68,17 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000392-GPOS-00172 ' - tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215) - tag gid: 'V-238309 ' - tag rid: 'SV-238309r853427_rule ' - tag stig_id: 'UBTU-20-010244 ' - tag fix_id: 'F-41478r654101_fix ' - tag cci: %w(CCI-000172 CCI-002884) - tag nist: ['AU-12 c', 'MA-4 (1) (a)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000392-GPOS-00172 " + tag satisfies: ["SRG-OS-000392-GPOS-00172", "SRG-OS-000471-GPOS-00215"] + tag gid: "V-238309 " + tag rid: "SV-238309r853427_rule " + tag stig_id: "UBTU-20-010244 " + tag fix_id: "F-41478r654101_fix " + tag cci: ["CCI-000172", "CCI-002884"] + tag nist: ["AU-12 c", "MA-4 (1) (a)"] @audit_file = '/var/log/sudo.log' @@ -85,4 +103,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 6683605..203f028 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -1,4 +1,4 @@ -control 'SV-238310' do +control "SV-238310" do title "The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -13,8 +13,21 @@ syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into -one rule whenever possible. " - desc 'check', "Verify the Ubuntu operating system generates audit records for any +one rule whenever possible." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible." + desc "check", "Verify the Ubuntu operating system generates audit records for any successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. @@ -37,8 +50,8 @@ For 32-bit architectures, only the 32-bit specific output lines from the commands are required. The \"key\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate audit events for any successful/unsuccessful use of +string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate audit events for any successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. Add or update the @@ -56,16 +69,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000468-GPOS-00212 ' - tag gid: 'V-238310 ' - tag rid: 'SV-238310r832953_rule ' - tag stig_id: 'UBTU-20-010267 ' - tag fix_id: 'F-41479r832952_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000468-GPOS-00212 " + tag gid: "V-238310 " + tag rid: "SV-238310r832953_rule " + tag stig_id: "UBTU-20-010267 " + tag fix_id: "F-41479r832952_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] if os.arch == 'x86_64' describe auditd.syscall('unlink').where { arch == 'b64' } do @@ -77,4 +90,5 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index 4a74fe5..c919ced 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -1,13 +1,20 @@ -control 'SV-238315' do - title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ' +control "SV-238315" do + title "The Ubuntu operating system must generate audit records for the /var/log/wtmp file. " desc "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates audit records showing start and stop times for +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the \"/var/log/wtmp\" file. Check the currently configured @@ -22,8 +29,8 @@ the line is commented out, this is a finding. Note: The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate audit events showing start and stop times for user +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate audit events showing start and stop times for user access via the \"/var/log/wtmp\" file. Add or update the following rules in the @@ -34,16 +41,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000472-GPOS-00217 ' - tag gid: 'V-238315 ' - tag rid: 'SV-238315r654120_rule ' - tag stig_id: 'UBTU-20-010277 ' - tag fix_id: 'F-41484r654119_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000472-GPOS-00217 " + tag gid: "V-238315 " + tag rid: "SV-238315r654120_rule " + tag stig_id: "UBTU-20-010277 " + tag fix_id: "F-41484r654119_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/var/log/wtmp' @@ -68,4 +75,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index 943789b..d0bd22e 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -1,13 +1,20 @@ -control 'SV-238316' do - title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ' +control "SV-238316" do + title "The Ubuntu operating system must generate audit records for the /var/run/wtmp file. " desc "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates audit records showing start and stop times for +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the \"/var/run/wtmp\" file. Check the currently configured @@ -22,8 +29,8 @@ the line is commented out, this is a finding. Note: The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate audit events showing start and stop times for user +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate audit events showing start and stop times for user access via the \"/var/run/wtmp\" file. Add or update the following rules in the @@ -34,16 +41,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000472-GPOS-00217 ' - tag gid: 'V-238316 ' - tag rid: 'SV-238316r654123_rule ' - tag stig_id: 'UBTU-20-010278 ' - tag fix_id: 'F-41485r654122_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000472-GPOS-00217 " + tag gid: "V-238316 " + tag rid: "SV-238316r654123_rule " + tag stig_id: "UBTU-20-010278 " + tag fix_id: "F-41485r654122_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/var/run/wtmp' @@ -68,4 +75,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index eb070f0..979aefa 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -1,13 +1,20 @@ -control 'SV-238317' do - title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. ' +control "SV-238317" do + title "The Ubuntu operating system must generate audit records for the /var/log/btmp file. " desc "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system generates audit records showing start and stop times for +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the \"/var/log/btmp\" file. Check the currently configured @@ -22,8 +29,8 @@ the line is commented out, this is a finding. Note: The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the audit system to generate audit events showing start and stop times for user +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate audit events showing start and stop times for user access via the \"/var/log/btmp file\". Add or update the following rules in the @@ -34,16 +41,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000472-GPOS-00217 ' - tag gid: 'V-238317 ' - tag rid: 'SV-238317r654126_rule ' - tag stig_id: 'UBTU-20-010279 ' - tag fix_id: 'F-41486r654125_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000472-GPOS-00217 " + tag gid: "V-238317 " + tag rid: "SV-238317r654126_rule " + tag stig_id: "UBTU-20-010279 " + tag fix_id: "F-41486r654125_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/var/log/btmp' @@ -68,4 +75,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index d328537..e0f8383 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -1,4 +1,4 @@ -control 'SV-238318' do +control "SV-238318" do title "The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify if the Ubuntu operating system is configured to audit the execution of the module +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify if the Ubuntu operating system is configured to audit the execution of the module management program \"modprobe\" by running the following command: $ sudo auditctl -l | grep @@ -20,8 +27,8 @@ or the line is commented out, this is a finding. Note: The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above. " - desc 'fix', "Configure the Ubuntu operating system to audit the execution of the module management +arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the Ubuntu operating system to audit the execution of the module management program \"modprobe\". Add or update the following rule in the @@ -32,16 +39,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000477-GPOS-00222 ' - tag gid: 'V-238318 ' - tag rid: 'SV-238318r654129_rule ' - tag stig_id: 'UBTU-20-010296 ' - tag fix_id: 'F-41487r654128_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000477-GPOS-00222 " + tag gid: "V-238318 " + tag rid: "SV-238318r654129_rule " + tag stig_id: "UBTU-20-010296 " + tag fix_id: "F-41487r654128_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/sbin/modprobe' @@ -65,4 +72,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index 316e760..7f0c3bd 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -1,4 +1,4 @@ -control 'SV-238319' do +control "SV-238319" do title "The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system is configured to audit the execution of the module +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system is configured to audit the execution of the module management program \"kmod\". Check the currently configured audit rules with the following @@ -23,8 +30,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example -output above. " - desc 'fix', "Configure the Ubuntu operating system to audit the execution of the module management +output above." + desc "fix", "Configure the Ubuntu operating system to audit the execution of the module management program \"kmod\". Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" @@ -35,16 +42,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000477-GPOS-00222 ' - tag gid: 'V-238319 ' - tag rid: 'SV-238319r654132_rule ' - tag stig_id: 'UBTU-20-010297 ' - tag fix_id: 'F-41488r654131_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000477-GPOS-00222 " + tag gid: "V-238319 " + tag rid: "SV-238319r654132_rule " + tag stig_id: "UBTU-20-010297 " + tag fix_id: "F-41488r654131_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/bin/kmod' @@ -68,4 +75,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index ff54ef6..91cd744 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -1,4 +1,4 @@ -control 'SV-238320' do +control "SV-238320" do title "The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command. " desc "Without generating audit records that are specific to the security and mission needs of the @@ -7,8 +7,15 @@ Audit records can be generated from various components within the information system (e.g., module or policy -filter). " - desc 'check', "Verify the Ubuntu operating system is configured to audit the execution of the partition +filter)." + desc "default", "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter)." + desc "check", "Verify the Ubuntu operating system is configured to audit the execution of the partition management program \"fdisk\". Check the currently configured audit rules with the @@ -23,8 +30,8 @@ Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to -match the example output above. " - desc 'fix', "Configure the Ubuntu operating system to audit the execution of the partition management +match the example output above." + desc "fix", "Configure the Ubuntu operating system to audit the execution of the partition management program \"fdisk\". Add or update the following rule in the @@ -35,16 +42,16 @@ To reload the rules file, issue the following command: -$ sudo augenrules --load " +$ sudo augenrules --load" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000477-GPOS-00222 ' - tag gid: 'V-238320 ' - tag rid: 'SV-238320r832956_rule ' - tag stig_id: 'UBTU-20-010298 ' - tag fix_id: 'F-41489r832955_fix ' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] + tag severity: "medium " + tag gtitle: "SRG-OS-000477-GPOS-00222 " + tag gid: "V-238320 " + tag rid: "SV-238320r832956_rule " + tag stig_id: "UBTU-20-010298 " + tag fix_id: "F-41489r832955_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] @audit_file = '/sbin/fdisk' @@ -68,4 +75,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index 4c1d193..7c455dc 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -1,12 +1,17 @@ -control 'SV-238321' do +control "SV-238321" do title "The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems. " desc "Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit -storage capacity. " - desc 'check', "Note: If this is an interconnected system, this is Not Applicable. +storage capacity." + desc "default", "Information stored in one location is vulnerable to accidental or incidental deletion or +alteration. + +Offloading is a common process in information systems with limited audit +storage capacity." + desc "check", "Note: If this is an interconnected system, this is Not Applicable. Verify there is a script that offloads audit data and that script runs weekly. @@ -23,20 +28,20 @@ external media. If the script file does not exist or does not offload audit logs, this is a -finding. " - desc 'fix', "Create a script that offloads audit logs to external media and runs weekly. +finding." + desc "fix", "Create a script that offloads audit logs to external media and runs weekly. The script must -be located in the \"/etc/cron.weekly\" directory. " +be located in the \"/etc/cron.weekly\" directory." impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000479-GPOS-00224 ' - tag gid: 'V-238321 ' - tag rid: 'SV-238321r853428_rule ' - tag stig_id: 'UBTU-20-010300 ' - tag fix_id: 'F-41490r654137_fix ' - tag cci: ['CCI-001851'] - tag nist: ['AU-4 (1)'] + tag severity: "low " + tag gtitle: "SRG-OS-000479-GPOS-00224 " + tag gid: "V-238321 " + tag rid: "SV-238321r853428_rule " + tag stig_id: "UBTU-20-010300 " + tag fix_id: "F-41490r654137_fix " + tag cci: ["CCI-001851"] + tag nist: ["AU-4 (1)"] cron_file = input('auditoffload_config_file') cron_file_exists = file(cron_file).exist? @@ -51,4 +56,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238323.rb b/controls/SV-238323.rb index be74576..10449cf 100644 --- a/controls/SV-238323.rb +++ b/controls/SV-238323.rb @@ -1,4 +1,4 @@ -control 'SV-238323' do +control "SV-238323" do title "The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. " desc "The Ubuntu operating system management includes the ability to control the number of users @@ -9,8 +9,17 @@ addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational -environment for each system. " - desc 'check', "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all +environment for each system." + desc "default", "The Ubuntu operating system management includes the ability to control the number of users +and user sessions that utilize an operating system. Limiting the number of allowed users and +sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement +addresses concurrent sessions for information system accounts and does not address +concurrent sessions by single users via multiple system accounts. The maximum number of +concurrent sessions should be defined based upon mission needs and the operational +environment for each system." + desc "check", "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command: $ grep maxlogins @@ -22,25 +31,26 @@ * hard maxlogins 10 If the \"maxlogins\" item is missing or the value is not -set to 10 or less or is commented out, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all +set to 10 or less or is commented out, this is a finding." + desc "fix", "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all accounts and/or account types. Add the following line to the top of the \"/etc/security/limits.conf\" file: -* hard maxlogins 10 " +* hard maxlogins 10" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000027-GPOS-00008 ' - tag gid: 'V-238323 ' - tag rid: 'SV-238323r654144_rule ' - tag stig_id: 'UBTU-20-010400 ' - tag fix_id: 'F-41492r654143_fix ' - tag cci: ['CCI-000054'] - tag nist: ['AC-10'] + tag severity: "low " + tag gtitle: "SRG-OS-000027-GPOS-00008 " + tag gid: "V-238323 " + tag rid: "SV-238323r654144_rule " + tag stig_id: "UBTU-20-010400 " + tag fix_id: "F-41492r654143_fix " + tag cci: ["CCI-000054"] + tag nist: ["AC-10"] describe limits_conf do its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] } end -end + +end \ No newline at end of file diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb index 96d72e8..a094797 100644 --- a/controls/SV-238324.rb +++ b/controls/SV-238324.rb @@ -1,5 +1,5 @@ -control 'SV-238324' do - title 'The Ubuntu operating system must monitor remote access methods. ' +control "SV-238324" do + title "The Ubuntu operating system must monitor remote access methods. " desc "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. @@ -13,8 +13,22 @@ sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system -components (e.g., servers, workstations, notebook computers, smartphones, and tablets). " - desc 'check', "Verify that the Ubuntu operating system monitors all remote access methods. +components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." + desc "default", "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated monitoring capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Automated monitoring of remote access +sessions allows organizations to detect cyber attacks and also ensure ongoing compliance +with remote access policies by auditing connection activities of remote access +capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system +components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." + desc "check", "Verify that the Ubuntu operating system monitors all remote access methods. Check that remote access methods are being logged by running the following command: @@ -28,8 +42,8 @@ If \"auth.*\", \"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config -files, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to monitor all remote access methods by adding the +files, this is a finding." + desc "fix", "Configure the Ubuntu operating system to monitor all remote access methods by adding the following lines to the \"/etc/rsyslog.d/50-default.conf\" file: auth.*,authpriv.* @@ -39,16 +53,16 @@ For the changes to take effect, restart the \"rsyslog\" service with the following command: -$ sudo systemctl restart rsyslog.service " +$ sudo systemctl restart rsyslog.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000032-GPOS-00013 ' - tag gid: 'V-238324 ' - tag rid: 'SV-238324r832959_rule ' - tag stig_id: 'UBTU-20-010403 ' - tag fix_id: 'F-41493r832958_fix ' - tag cci: ['CCI-000067'] - tag nist: ['AC-17 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000032-GPOS-00013 " + tag gid: "V-238324 " + tag rid: "SV-238324r832959_rule " + tag stig_id: "UBTU-20-010403 " + tag fix_id: "F-41493r832958_fix " + tag cci: ["CCI-000067"] + tag nist: ["AC-17 (1)"] options = { assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/, @@ -64,4 +78,5 @@ it { should_not be_nil } it { should_not be_empty } end -end + +end \ No newline at end of file diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index 7b83fd1..eedff3f 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -1,10 +1,13 @@ -control 'SV-238325' do +control "SV-238325" do title "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. " desc "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear -text) and easily compromised. " - desc 'check', "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS +text) and easily compromised." + desc "default", "Passwords need to be protected at all times, and encryption is the standard method for +protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear +text) and easily compromised." + desc "check", "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is @@ -16,25 +19,26 @@ ENCRYPT_METHOD SHA512 If \"ENCRYPT_METHOD\" does not equal SHA512 or -greater, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to encrypt all stored passwords. +greater, this is a finding." + desc "fix", "Configure the Ubuntu operating system to encrypt all stored passwords. Edit/modify the following line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512: -ENCRYPT_METHOD SHA512 " +ENCRYPT_METHOD SHA512" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000120-GPOS-00061 ' - tag gid: 'V-238325 ' - tag rid: 'SV-238325r654150_rule ' - tag stig_id: 'UBTU-20-010404 ' - tag fix_id: 'F-41494r654149_fix ' - tag cci: ['CCI-000803'] - tag nist: ['IA-7'] + tag severity: "medium " + tag gtitle: "SRG-OS-000120-GPOS-00061 " + tag gid: "V-238325 " + tag rid: "SV-238325r654150_rule " + tag stig_id: "UBTU-20-010404 " + tag fix_id: "F-41494r654149_fix " + tag cci: ["CCI-000803"] + tag nist: ["IA-7"] describe login_defs do its('ENCRYPT_METHOD') { should eq 'SHA512' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238326.rb b/controls/SV-238326.rb index cf82c33..27c2521 100644 --- a/controls/SV-238326.rb +++ b/controls/SV-238326.rb @@ -1,29 +1,33 @@ -control 'SV-238326' do - title 'The Ubuntu operating system must not have the telnet package installed. ' +control "SV-238326" do + title "The Ubuntu operating system must not have the telnet package installed. " desc "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear -text) and easily compromised. " - desc 'check', "Verify that the telnet package is not installed on the Ubuntu operating system by running the +text) and easily compromised." + desc "default", "Passwords need to be protected at all times, and encryption is the standard method for +protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear +text) and easily compromised." + desc "check", "Verify that the telnet package is not installed on the Ubuntu operating system by running the following command: $ dpkg -l | grep telnetd -If the package is installed, this is a finding. " - desc 'fix', "Remove the telnet package from the Ubuntu operating system by running the following command: +If the package is installed, this is a finding." + desc "fix", "Remove the telnet package from the Ubuntu operating system by running the following command: -$ sudo apt-get remove telnetd " +$ sudo apt-get remove telnetd" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000074-GPOS-00042 ' - tag gid: 'V-238326 ' - tag rid: 'SV-238326r654153_rule ' - tag stig_id: 'UBTU-20-010405 ' - tag fix_id: 'F-41495r654152_fix ' - tag cci: ['CCI-000197'] - tag nist: ['IA-5 (1) (c)'] + tag severity: "high " + tag gtitle: "SRG-OS-000074-GPOS-00042 " + tag gid: "V-238326 " + tag rid: "SV-238326r654153_rule " + tag stig_id: "UBTU-20-010405 " + tag fix_id: "F-41495r654152_fix " + tag cci: ["CCI-000197"] + tag nist: ["IA-5 (1) (c)"] describe package('telnetd') do it { should_not be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238327.rb b/controls/SV-238327.rb index 8d603ce..a75025e 100644 --- a/controls/SV-238327.rb +++ b/controls/SV-238327.rb @@ -1,5 +1,5 @@ -control 'SV-238327' do - title 'The Ubuntu operating system must not have the rsh-server package installed. ' +control "SV-238327" do + title "The Ubuntu operating system must not have the rsh-server package installed. " desc "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the @@ -13,29 +13,44 @@ Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. " - desc 'check', "Verify the rsh-server package is installed with the following command: +mission, but which cannot be disabled." + desc "default", "It is detrimental for operating systems to provide, or install by default, functionality +exceeding requirements or mission objectives. These unnecessary capabilities or services +are often overlooked and therefore may remain unsecured. They increase the risk to the +platform by providing additional attack vectors. + +Operating systems are capable of +providing a wide variety of functions and services. Some of the functions and services, +provided by default, may not be necessary to support essential organizational operations +(e.g., key missions, functions). + +Examples of non-essential capabilities include, but +are not limited to, games, software packages, tools, and demonstration software, not +related to requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled." + desc "check", "Verify the rsh-server package is installed with the following command: $ dpkg -l | grep rsh-server -If the rsh-server package is installed, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to disable non-essential capabilities by removing +If the rsh-server package is installed, this is a finding." + desc "fix", "Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: $ sudo apt-get remove -rsh-server " +rsh-server" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000095-GPOS-00049 ' - tag gid: 'V-238327 ' - tag rid: 'SV-238327r654156_rule ' - tag stig_id: 'UBTU-20-010406 ' - tag fix_id: 'F-41496r654155_fix ' - tag cci: ['CCI-000381'] - tag nist: ['CM-7 a'] + tag severity: "high " + tag gtitle: "SRG-OS-000095-GPOS-00049 " + tag gid: "V-238327 " + tag rid: "SV-238327r654156_rule " + tag stig_id: "UBTU-20-010406 " + tag fix_id: "F-41496r654155_fix " + tag cci: ["CCI-000381"] + tag nist: ["CM-7 a"] describe package('rsh-server') do it { should_not be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index dd45d0e..b96054f 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -1,4 +1,4 @@ -control 'SV-238328' do +control "SV-238328" do title "The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. " @@ -18,8 +18,25 @@ functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to -address authorized quality of life issues. " - desc 'check', "Verify the Ubuntu operating system is configured to prohibit or restrict the use of +address authorized quality of life issues." + desc "default", "In order to prevent unauthorized connection of devices, unauthorized transfer of +information, or unauthorized tunneling (i.e., embedding of data types within data types), +organizations must disable or restrict unused or unnecessary physical and logical +ports/protocols on information systems. + +Operating systems are capable of providing a +wide variety of functions and services. Some of the functions and services provided by +default may not be necessary to support essential organizational operations. +Additionally, it is sometimes convenient to provide multiple services from a single +component (e.g., VPN and IPS); however, doing so increases risk over limiting the services +provided by any one component. + +To support the requirements and principles of least +functionality, the operating system must support the organizational requirements, +providing only essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official business or to +address authorized quality of life issues." + desc "check", "Verify the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. @@ -54,8 +71,8 @@ If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a -finding. " - desc 'fix', "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: +finding." + desc "fix", "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: $ sudo ufw allow <direction> <port/protocol/service> @@ -67,16 +84,16 @@ To deny access to ports, protocols, or services, use: $ sudo ufw deny -<direction> <port/protocol/service> " +<direction> <port/protocol/service>" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000096-GPOS-00050 ' - tag gid: 'V-238328 ' - tag rid: 'SV-238328r654159_rule ' - tag stig_id: 'UBTU-20-010407 ' - tag fix_id: 'F-41497r654158_fix ' - tag cci: ['CCI-000382'] - tag nist: ['CM-7 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000096-GPOS-00050 " + tag gid: "V-238328 " + tag rid: "SV-238328r654159_rule " + tag stig_id: "UBTU-20-010407 " + tag fix_id: "F-41497r654158_fix " + tag cci: ["CCI-000382"] + tag nist: ["CM-7 b"] ufw_status = command('ufw status').stdout.strip.lines.first value = ufw_status.split(':')[1].strip @@ -88,4 +105,5 @@ describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do skip 'Status listings checks must be preformed manually' end -end + +end \ No newline at end of file diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb index 346a80c..1526e4c 100644 --- a/controls/SV-238329.rb +++ b/controls/SV-238329.rb @@ -1,5 +1,5 @@ -control 'SV-238329' do - title 'The Ubuntu operating system must prevent direct login into the root account. ' +control "SV-238329" do + title "The Ubuntu operating system must prevent direct login into the root account. " desc "To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. @@ -23,8 +23,32 @@ Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group -account knowledge. " - desc 'check', "Verify the Ubuntu operating system prevents direct logins to the root account with the +account knowledge." + desc "default", "To assure individual accountability and prevent unauthorized access, organizational +users must be individually identified and authenticated. + +A group authenticator is a +generic account used by multiple individuals. Use of a group authenticator alone does not +uniquely identify individual users. Examples of the group authenticator is the UNIX OS +\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" +account. + +For example, the UNIX and Windows operating systems offer a 'switch user' +capability allowing users to authenticate with their individual credentials and, when +needed, 'switch' to the administrator role. This method provides for unique individual +authentication prior to using a group authenticator. + +Users (and any processes acting on +behalf of users) need to be uniquely identified and authenticated for all accesses other than +those accesses explicitly identified and documented by the organization, which outlines +specific user actions that can be performed on the operating system without identification +or authentication. + +Requiring individuals to be authenticated with an individual +authenticator prior to using a group authenticator allows for traceability of actions, as +well as adding an additional level of protection of the actions that can be taken with group +account knowledge." + desc "check", "Verify the Ubuntu operating system prevents direct logins to the root account with the following command: $ sudo passwd -S root @@ -32,20 +56,20 @@ root L 04/23/2020 0 99999 7 -1 If the output does -not contain \"L\" in the second field to indicate the account is locked, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to prevent direct logins to the root account by +not contain \"L\" in the second field to indicate the account is locked, this is a finding." + desc "fix", "Configure the Ubuntu operating system to prevent direct logins to the root account by performing the following operations: -$ sudo passwd -l root " +$ sudo passwd -l root" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000109-GPOS-00056 ' - tag gid: 'V-238329 ' - tag rid: 'SV-238329r654162_rule ' - tag stig_id: 'UBTU-20-010408 ' - tag fix_id: 'F-41498r654161_fix ' - tag cci: ['CCI-000770'] - tag nist: ['IA-2 (5)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000109-GPOS-00056 " + tag gid: "V-238329 " + tag rid: "SV-238329r654162_rule " + tag stig_id: "UBTU-20-010408 " + tag fix_id: "F-41498r654161_fix " + tag cci: ["CCI-000770"] + tag nist: ["IA-2 (5)"] describe.one do describe shadow.where(user: 'root') do @@ -55,4 +79,5 @@ describe command('passwd -S root').stdout.strip do it { should match /^root\s+L\s+.*$/ } end -end + +end \ No newline at end of file diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb index e7673b5..bc534a5 100644 --- a/controls/SV-238330.rb +++ b/controls/SV-238330.rb @@ -1,4 +1,4 @@ -control 'SV-238330' do +control "SV-238330" do title "The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. " desc "Inactive identifiers pose a risk to systems and applications because attackers may exploit @@ -7,8 +7,15 @@ obtained. Operating systems need to track periods of inactivity and disable application -identifiers after 35 days of inactivity. " - desc 'check', "Verify the account identifiers (individuals, groups, roles, and devices) are disabled +identifiers after 35 days of inactivity." + desc "default", "Inactive identifiers pose a risk to systems and applications because attackers may exploit +an inactive identifier and potentially obtain undetected access to the system. Owners of +inactive accounts will not notice if unauthorized access to their user account has been +obtained. + +Operating systems need to track periods of inactivity and disable application +identifiers after 35 days of inactivity." + desc "check", "Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: Check the account inactivity value @@ -20,8 +27,8 @@ INACTIVE=35 If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, -this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to disable account identifiers after 35 days of +this is a finding." + desc "fix", "Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the @@ -31,16 +38,16 @@ Note: DoD recommendation is 35 days, but a lower value is acceptable. The value \"0\" will disable the account immediately after the -password expires. " +password expires." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000118-GPOS-00060 ' - tag gid: 'V-238330 ' - tag rid: 'SV-238330r654165_rule ' - tag stig_id: 'UBTU-20-010409 ' - tag fix_id: 'F-41499r654164_fix ' - tag cci: ['CCI-000795'] - tag nist: ['IA-4 e'] + tag severity: "medium " + tag gtitle: "SRG-OS-000118-GPOS-00060 " + tag gid: "V-238330 " + tag rid: "SV-238330r654165_rule " + tag stig_id: "UBTU-20-010409 " + tag fix_id: "F-41499r654164_fix " + tag cci: ["CCI-000795"] + tag nist: ["IA-4 e"] config_file = input('useradd_config_file') config_file_exists = file(config_file).exist? @@ -56,4 +63,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238331.rb b/controls/SV-238331.rb index c8da489..ffbce84 100644 --- a/controls/SV-238331.rb +++ b/controls/SV-238331.rb @@ -1,4 +1,4 @@ -control 'SV-238331' do +control "SV-238331" do title "The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours. " desc "Emergency accounts are different from infrequently used accounts (i.e., local logon @@ -9,8 +9,17 @@ situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged -users who need long-term maintenance accounts. " - desc 'check', "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less. +users who need long-term maintenance accounts." + desc "default", "Emergency accounts are different from infrequently used accounts (i.e., local logon +accounts used by the organization's System Administrator +s when network or normal +logon/access is not available). Infrequently used accounts are not subject to automatic +termination dates. Emergency accounts are accounts created in response to crisis +situations, usually for use by maintenance personnel. The automatic expiration or +disabling time period may be extended as needed until the crisis is resolved; however, it must +not be extended indefinitely. A permanent account should be established for privileged +users who need long-term maintenance accounts." + desc "check", "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less. For every emergency account, run the following command to obtain its account expiration @@ -26,25 +35,26 @@ within 72 hours of account creation. If any of these accounts do not expire within 72 hours of -that account's creation, this is a finding. " - desc 'fix', "If an emergency account must be created, configure the system to terminate the account after a +that account's creation, this is a finding." + desc "fix", "If an emergency account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. Substitute \"account_name\" with the account to be created. $ sudo chage -E $(date -d \"+3 days\" +%F) -account_name " +account_name" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000123-GPOS-00064 ' - tag gid: 'V-238331 ' - tag rid: 'SV-238331r654168_rule ' - tag stig_id: 'UBTU-20-010410 ' - tag fix_id: 'F-41500r654167_fix ' - tag cci: ['CCI-001682'] - tag nist: ['AC-2 (2)'] + tag severity: "low " + tag gtitle: "SRG-OS-000123-GPOS-00064 " + tag gid: "V-238331 " + tag rid: "SV-238331r654168_rule " + tag stig_id: "UBTU-20-010410 " + tag fix_id: "F-41500r654167_fix " + tag cci: ["CCI-001682"] + tag nist: ["AC-2 (2)"] describe 'Manual verification required' do skip 'Manually verify if emergency account must be created the system must terminate the account after a 72 hour time period.' end -end + +end \ No newline at end of file diff --git a/controls/SV-238332.rb b/controls/SV-238332.rb index 2949698..d2a4f82 100644 --- a/controls/SV-238332.rb +++ b/controls/SV-238332.rb @@ -1,4 +1,4 @@ -control 'SV-238332' do +control "SV-238332" do title "The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. " desc "Preventing unauthorized information transfers mitigates the risk of information, @@ -16,8 +16,24 @@ government agencies. There may be shared resources with configurable protections (e.g., -files in storage) that may be assessed on specific information system components. " - desc 'check', "Verify that all public (world-writeable) directories have the public sticky bit set. +files in storage) that may be assessed on specific information system components." + desc "default", "Preventing unauthorized information transfers mitigates the risk of information, +including encrypted representations of information, produced by the actions of prior +users/roles (or the actions of processes acting on behalf of prior users/roles) from being +available to any current users/roles (or current processes) that obtain access to shared +system resources (e.g., registers, main memory, hard disks) after those resources have been +released back to information systems. The control of information in shared resources is also +commonly referred to as object reuse and residual information protection. + +This +requirement generally applies to the design of an information technology product, but it can +also apply to the configuration of particular information system components that are, or +use, such products. This can be verified by acceptance/validation processes in DoD or other +government agencies. + +There may be shared resources with configurable protections (e.g., +files in storage) that may be assessed on specific information system components." + desc "check", "Verify that all public (world-writeable) directories have the public sticky bit set. Find world-writable directories that lack the sticky bit by running the following command: @@ -26,24 +42,24 @@ sudo find / -type d -perm -002 ! -perm -1000 If any world-writable directories are found -missing the sticky bit, this is a finding. " - desc 'fix', "Configure all public directories to have the sticky bit set to prevent unauthorized and +missing the sticky bit, this is a finding." + desc "fix", "Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all public directories using the following command, replacing \"[Public Directory]\" with any directory path missing the sticky bit: -$ sudo chmod +t [Public Directory] " +$ sudo chmod +t [Public Directory]" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000138-GPOS-00069 ' - tag gid: 'V-238332 ' - tag rid: 'SV-238332r654171_rule ' - tag stig_id: 'UBTU-20-010411 ' - tag fix_id: 'F-41501r654170_fix ' - tag cci: ['CCI-001090'] - tag nist: ['SC-4'] + tag severity: "medium " + tag gtitle: "SRG-OS-000138-GPOS-00069 " + tag gid: "V-238332 " + tag rid: "SV-238332r654171_rule " + tag stig_id: "UBTU-20-010411 " + tag fix_id: "F-41501r654170_fix " + tag cci: ["CCI-001090"] + tag nist: ["SC-4"] lines = command('find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null').stdout.strip.split("\n").entries if lines.count > 0 @@ -59,4 +75,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238333.rb b/controls/SV-238333.rb index 2c3f0e0..191e6a1 100644 --- a/controls/SV-238333.rb +++ b/controls/SV-238333.rb @@ -1,5 +1,5 @@ -control 'SV-238333' do - title 'The Ubuntu operating system must be configured to use TCP syncookies. ' +control "SV-238333" do + title "The Ubuntu operating system must be configured to use TCP syncookies. " desc "DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. @@ -7,8 +7,16 @@ Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, -establishing selected usage priorities, quotas, or partitioning. " - desc 'check', "Verify the Ubuntu operating system is configured to use TCP syncookies. +establishing selected usage priorities, quotas, or partitioning." + desc "default", "DoS is a condition when a resource is not available for legitimate users. When this occurs, the +organization either cannot accomplish its mission or must operate at degraded capacity. + + +Managing excess capacity ensures that sufficient capacity is available to counter +flooding attacks. Employing increased capacity and service redundancy may reduce the +susceptibility to some DoS attacks. Managing excess capacity may include, for example, +establishing selected usage priorities, quotas, or partitioning." + desc "check", "Verify the Ubuntu operating system is configured to use TCP syncookies. Check the value of TCP syncookies with the following command: @@ -26,8 +34,8 @@ net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' If no output is -returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to use TCP syncookies by running the following +returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to use TCP syncookies by running the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 @@ -36,18 +44,19 @@ value, add or update the following line in \"/etc/sysctl.conf\": net.ipv4.tcp_syncookies -= 1 " += 1" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000142-GPOS-00071 ' - tag gid: 'V-238333 ' - tag rid: 'SV-238333r654174_rule ' - tag stig_id: 'UBTU-20-010412 ' - tag fix_id: 'F-41502r654173_fix ' - tag cci: ['CCI-001095'] - tag nist: ['SC-5 (2)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000142-GPOS-00071 " + tag gid: "V-238333 " + tag rid: "SV-238333r654174_rule " + tag stig_id: "UBTU-20-010412 " + tag fix_id: "F-41502r654173_fix " + tag cci: ["CCI-001095"] + tag nist: ["SC-5 (2)"] describe kernel_parameter('net.ipv4.tcp_syncookies') do its('value') { should cmp 1 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238334.rb b/controls/SV-238334.rb index b8609d4..651a77e 100644 --- a/controls/SV-238334.rb +++ b/controls/SV-238334.rb @@ -1,10 +1,13 @@ -control 'SV-238334' do +control "SV-238334" do title "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail. " desc "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of -service by exhausting the available space on the target file system partition. " - desc 'check', "Verify that kernel core dumps are disabled unless needed. +service by exhausting the available space on the target file system partition." + desc "default", "Kernel core dumps may contain the full contents of system memory at the time of the crash. +Kernel core dumps may consume a considerable amount of disk space and may result in denial of +service by exhausting the available space on the target file system partition." + desc "check", "Verify that kernel core dumps are disabled unless needed. Check if \"kdump\" service is active with the following command: @@ -16,23 +19,23 @@ the \"kdump\" service is active, ask the SA if the use of the service is required and documented with the ISSO. -If the service is active and is not documented, this is a finding. " - desc 'fix', "If kernel core dumps are not required, disable the \"kdump\" service with the following +If the service is active and is not documented, this is a finding." + desc "fix", "If kernel core dumps are not required, disable the \"kdump\" service with the following command: $ sudo systemctl disable kdump.service If kernel core dumps are required, -document the need with the ISSO. " +document the need with the ISSO." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000184-GPOS-00078 ' - tag gid: 'V-238334 ' - tag rid: 'SV-238334r654177_rule ' - tag stig_id: 'UBTU-20-010413 ' - tag fix_id: 'F-41503r654176_fix ' - tag cci: ['CCI-001190'] - tag nist: ['SC-24'] + tag severity: "medium " + tag gtitle: "SRG-OS-000184-GPOS-00078 " + tag gid: "V-238334 " + tag rid: "SV-238334r654177_rule " + tag stig_id: "UBTU-20-010413 " + tag fix_id: "F-41503r654176_fix " + tag cci: ["CCI-001190"] + tag nist: ["SC-24"] is_kdump_required = input('is_kdump_required') if is_kdump_required @@ -48,4 +51,5 @@ it { should_not be_running } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238335.rb b/controls/SV-238335.rb index f4dd4b9..2b7a34d 100644 --- a/controls/SV-238335.rb +++ b/controls/SV-238335.rb @@ -1,4 +1,4 @@ -control 'SV-238335' do +control "SV-238335" do title "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. " @@ -10,8 +10,17 @@ operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the -information. " - desc 'check', "If there is a documented and approved reason for not having data-at-rest encryption, this +information." + desc "default", "Information at rest refers to the state of information when it is located on a secondary +storage device (e.g., disk drive and tape drive, when used for backups) within an operating +system. + +This requirement addresses protection of user-generated data, as well as +operating system-specific configuration data. Organizations may choose to employ +different mechanisms to achieve confidentiality and integrity protections, as +appropriate, in accordance with the security category and/or classification of the +information." + desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify the Ubuntu operating system prevents unauthorized @@ -50,23 +59,24 @@ partition present must have an entry in the file. If any partitions other than the boot -partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " - desc 'fix', "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. +partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding." + desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Note: Encrypting a partition in an already-installed system is more difficult because it -will need to be resized and existing partitions changed. " +will need to be resized and existing partitions changed." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000185-GPOS-00079 ' - tag gid: 'V-238335 ' - tag rid: 'SV-238335r654180_rule ' - tag stig_id: 'UBTU-20-010414 ' - tag fix_id: 'F-41504r654179_fix ' - tag cci: ['CCI-001199'] - tag nist: ['SC-28'] + tag severity: "medium " + tag gtitle: "SRG-OS-000185-GPOS-00079 " + tag gid: "V-238335 " + tag rid: "SV-238335r654180_rule " + tag stig_id: "UBTU-20-010414 " + tag fix_id: "F-41504r654179_fix " + tag cci: ["CCI-001199"] + tag nist: ["SC-28"] describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' end -end + +end \ No newline at end of file diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb index 975a2b7..92412ff 100644 --- a/controls/SV-238336.rb +++ b/controls/SV-238336.rb @@ -1,4 +1,4 @@ -control 'SV-238336' do +control "SV-238336" do title "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). " desc "Without the use of automated mechanisms to scan for security flaws on a continuous and/or @@ -7,8 +7,15 @@ To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using -HBSS and periodic scanning using other tools, as specified in the requirement. " - desc 'check', "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. +HBSS and periodic scanning using other tools, as specified in the requirement." + desc "default", "Without the use of automated mechanisms to scan for security flaws on a continuous and/or +periodic basis, the operating system or other system components may remain vulnerable to the +exploits presented by undetected software flaws. + +To support this requirement, the +operating system may have an integrated solution incorporating continuous scanning using +HBSS and periodic scanning using other tools, as specified in the requirement." + desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. @@ -25,24 +32,24 @@ # /opt/McAfee/ens/tp/init/mfetpd-control.sh status If the -daemon is not running, this finding will remain as a CAT II. " - desc 'fix', "The Ubuntu operating system is not compliant with this requirement; however, the severity +daemon is not running, this finding will remain as a CAT II." + desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. Configure the Ubuntu operating system to use ENSLTP. Install the \"mcafeetp\" package via the ePO -server. " +server." impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000191-GPOS-00080 ' - tag gid: 'V-238336 ' - tag rid: 'SV-238336r858538_rule ' - tag stig_id: 'UBTU-20-010415 ' - tag fix_id: 'F-41505r858537_fix ' - tag cci: ['CCI-001233'] - tag nist: ['SI-2 (2)'] + tag severity: "low " + tag gtitle: "SRG-OS-000191-GPOS-00080 " + tag gid: "V-238336 " + tag rid: "SV-238336r858538_rule " + tag stig_id: "UBTU-20-010415 " + tag fix_id: "F-41505r858537_fix " + tag cci: ["CCI-001233"] + tag nist: ["SI-2 (2)"] describe package('mfetp') do it { should be_installed } @@ -51,4 +58,5 @@ describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do its('exit_status') { should cmp 0 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238337.rb b/controls/SV-238337.rb index 48f4e2a..b16eaca 100644 --- a/controls/SV-238337.rb +++ b/controls/SV-238337.rb @@ -1,4 +1,4 @@ -control 'SV-238337' do +control "SV-238337" do title "The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. " @@ -13,29 +13,41 @@ erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security -numbers, and credit card numbers. " - desc 'check', "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory +numbers, and credit card numbers." + desc "default", "Any operating system providing too much information in error messages risks compromising +the data and security of the structure, and content of error messages needs to be carefully +considered by the organization. + +Organizations carefully consider the +structure/content of error messages. The extent to which information systems are able to +identify and handle error conditions is guided by organizational policy and operational +requirements. Information that could be exploited by adversaries includes, for example, +erroneous logon attempts with passwords entered by mistake as the username, +mission/business information that can be derived from (if not stated explicitly by) +information recorded, and personal information, such as account numbers, social security +numbers, and credit card numbers." + desc "check", "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory with a permission set to 640 or less permissive by using the following command: $ sudo find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\; If the command displays any output, -this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to set permissions of all log files under the +this is a finding." + desc "fix", "Configure the Ubuntu operating system to set permissions of all log files under the \"/var/log\" directory to 640 or more restricted by using the following command: $ sudo find -/var/log -perm /137 -type f -exec chmod 640 '{}' \\; " +/var/log -perm /137 -type f -exec chmod 640 '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000205-GPOS-00083 ' - tag gid: 'V-238337 ' - tag rid: 'SV-238337r654186_rule ' - tag stig_id: 'UBTU-20-010416 ' - tag fix_id: 'F-41506r654185_fix ' - tag cci: ['CCI-001312'] - tag nist: ['SI-11 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000205-GPOS-00083 " + tag gid: "V-238337 " + tag rid: "SV-238337r654186_rule " + tag stig_id: "UBTU-20-010416 " + tag fix_id: "F-41506r654185_fix " + tag cci: ["CCI-001312"] + tag nist: ["SI-11 a"] log_files = command('find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;').stdout.strip.split("\n").entries @@ -43,4 +55,5 @@ subject { log_files } its('count') { should eq 0 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238338.rb b/controls/SV-238338.rb index b8085c3..24d6530 100644 --- a/controls/SV-238338.rb +++ b/controls/SV-238338.rb @@ -1,4 +1,4 @@ -control 'SV-238338' do +control "SV-238338" do title "The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog. " desc "Only authorized personnel should be aware of errors and the details of the errors. Error @@ -10,30 +10,41 @@ The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. " - desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be +organizational policy and operational requirements." + desc "default", "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be group-owned by syslog with the following command: $ sudo stat -c \"%n %G\" /var/log /var/log syslog -If the \"/var/log\" directory is not group-owned by syslog, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by +If the \"/var/log\" directory is not group-owned by syslog, this is a finding." + desc "fix", "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by running the following command: -$ sudo chgrp syslog /var/log " +$ sudo chgrp syslog /var/log" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000206-GPOS-00084 ' - tag gid: 'V-238338 ' - tag rid: 'SV-238338r654189_rule ' - tag stig_id: 'UBTU-20-010417 ' - tag fix_id: 'F-41507r654188_fix ' - tag cci: ['CCI-001314'] - tag nist: ['SI-11 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238338 " + tag rid: "SV-238338r654189_rule " + tag stig_id: "UBTU-20-010417 " + tag fix_id: "F-41507r654188_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] describe directory('/var/log') do its('group') { should cmp 'syslog' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238339.rb b/controls/SV-238339.rb index 29e3f73..6f287ec 100644 --- a/controls/SV-238339.rb +++ b/controls/SV-238339.rb @@ -1,5 +1,5 @@ -control 'SV-238339' do - title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. ' +control "SV-238339" do + title "The Ubuntu operating system must configure the /var/log directory to be owned by root. " desc "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) @@ -9,30 +9,41 @@ The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. " - desc 'check', "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root +organizational policy and operational requirements." + desc "default", "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc "check", "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root with the following command: $ sudo stat -c \"%n %U\" /var/log /var/log root If the -\"/var/log\" directory is not owned by root, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running +\"/var/log\" directory is not owned by root, this is a finding." + desc "fix", "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running the following command: -$ sudo chown root /var/log " +$ sudo chown root /var/log" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000206-GPOS-00084 ' - tag gid: 'V-238339 ' - tag rid: 'SV-238339r654192_rule ' - tag stig_id: 'UBTU-20-010418 ' - tag fix_id: 'F-41508r654191_fix ' - tag cci: ['CCI-001314'] - tag nist: ['SI-11 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238339 " + tag rid: "SV-238339r654192_rule " + tag stig_id: "UBTU-20-010418 " + tag fix_id: "F-41508r654191_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] describe directory('/var/log') do its('owner') { should cmp 'root' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238340.rb b/controls/SV-238340.rb index 0521fe7..f75b825 100644 --- a/controls/SV-238340.rb +++ b/controls/SV-238340.rb @@ -1,4 +1,4 @@ -control 'SV-238340' do +control "SV-238340" do title "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less permissive. " desc "Only authorized personnel should be aware of errors and the details of the errors. Error @@ -10,8 +10,18 @@ The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. " - desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of +organizational policy and operational requirements." + desc "default", "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of 750 or less permissive with the following command: $ stat -c \"%n %a\" /var/log @@ -19,22 +29,23 @@ /var/log 750 -If a value of \"750\" or less permissive is not returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\" +If a value of \"750\" or less permissive is not returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\" directory by running the following command: -$ sudo chmod 0750 /var/log " +$ sudo chmod 0750 /var/log" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000206-GPOS-00084 ' - tag gid: 'V-238340 ' - tag rid: 'SV-238340r654195_rule ' - tag stig_id: 'UBTU-20-010419 ' - tag fix_id: 'F-41509r654194_fix ' - tag cci: ['CCI-001314'] - tag nist: ['SI-11 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238340 " + tag rid: "SV-238340r654195_rule " + tag stig_id: "UBTU-20-010419 " + tag fix_id: "F-41509r654194_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] describe directory('/var/log') do it { should_not be_more_permissive_than('0750') } end -end + +end \ No newline at end of file diff --git a/controls/SV-238341.rb b/controls/SV-238341.rb index 09b2b1f..53bdf12 100644 --- a/controls/SV-238341.rb +++ b/controls/SV-238341.rb @@ -1,4 +1,4 @@ -control 'SV-238341' do +control "SV-238341" do title "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm. " desc "Only authorized personnel should be aware of errors and the details of the errors. Error @@ -10,8 +10,18 @@ The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. " - desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be +organizational policy and operational requirements." + desc "default", "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be group-owned by adm with the following command: $ sudo stat -c \"%n %G\" /var/log/syslog @@ -19,22 +29,23 @@ /var/log/syslog adm If the \"/var/log/syslog\" file is not group-owned by adm, this is a -finding. " - desc 'fix', "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by +finding." + desc "fix", "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by running the following command: -$ sudo chgrp adm /var/log/syslog " +$ sudo chgrp adm /var/log/syslog" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000206-GPOS-00084 ' - tag gid: 'V-238341 ' - tag rid: 'SV-238341r654198_rule ' - tag stig_id: 'UBTU-20-010420 ' - tag fix_id: 'F-41510r654197_fix ' - tag cci: ['CCI-001314'] - tag nist: ['SI-11 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238341 " + tag rid: "SV-238341r654198_rule " + tag stig_id: "UBTU-20-010420 " + tag fix_id: "F-41510r654197_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] describe file('/var/log/syslog') do its('group') { should cmp 'adm' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238342.rb b/controls/SV-238342.rb index fbbe75b..616f8c7 100644 --- a/controls/SV-238342.rb +++ b/controls/SV-238342.rb @@ -1,5 +1,5 @@ -control 'SV-238342' do - title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ' +control "SV-238342" do + title "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. " desc "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) @@ -9,8 +9,18 @@ The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. " - desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by +organizational policy and operational requirements." + desc "default", "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by syslog with the following command: $ sudo stat -c \"%n %U\" /var/log/syslog @@ -18,22 +28,23 @@ /var/log/syslog syslog If the \"/var/log/syslog\" file is not owned by syslog, this is a -finding. " - desc 'fix', "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by +finding." + desc "fix", "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by running the following command: -$ sudo chown syslog /var/log/syslog " +$ sudo chown syslog /var/log/syslog" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000206-GPOS-00084 ' - tag gid: 'V-238342 ' - tag rid: 'SV-238342r654201_rule ' - tag stig_id: 'UBTU-20-010421 ' - tag fix_id: 'F-41511r654200_fix ' - tag cci: ['CCI-001314'] - tag nist: ['SI-11 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238342 " + tag rid: "SV-238342r654201_rule " + tag stig_id: "UBTU-20-010421 " + tag fix_id: "F-41511r654200_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] describe file('/var/log/syslog') do its('owner') { should cmp 'syslog' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238343.rb b/controls/SV-238343.rb index 4ed135d..3605168 100644 --- a/controls/SV-238343.rb +++ b/controls/SV-238343.rb @@ -1,4 +1,4 @@ -control 'SV-238343' do +control "SV-238343" do title "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive. " desc "Only authorized personnel should be aware of errors and the details of the errors. Error @@ -10,8 +10,18 @@ The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. " - desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode +organizational policy and operational requirements." + desc "default", "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode 0640 or less permissive by running the following command: $ sudo stat -c \"%n %a\" @@ -20,22 +30,23 @@ /var/log/syslog 640 If a value of \"640\" or less permissive is not -returned, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\" +returned, this is a finding." + desc "fix", "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\" file by running the following command: -$ sudo chmod 0640 /var/log/syslog " +$ sudo chmod 0640 /var/log/syslog" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000206-GPOS-00084 ' - tag gid: 'V-238343 ' - tag rid: 'SV-238343r654204_rule ' - tag stig_id: 'UBTU-20-010422 ' - tag fix_id: 'F-41512r654203_fix ' - tag cci: ['CCI-001314'] - tag nist: ['SI-11 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238343 " + tag rid: "SV-238343r654204_rule " + tag stig_id: "UBTU-20-010422 " + tag fix_id: "F-41512r654203_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] describe file('/var/log/syslog') do it { should_not be_more_permissive_than('0640') } end -end + +end \ No newline at end of file diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb index cc68143..61fd30d 100644 --- a/controls/SV-238344.rb +++ b/controls/SV-238344.rb @@ -1,4 +1,4 @@ -control 'SV-238344' do +control "SV-238344" do title "The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive. " desc "Protecting audit information also includes identifying and protecting the tools used to @@ -13,8 +13,21 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and -report generators. " - desc 'check', "Verify the system commands directories have mode 0755 or less permissive: +report generators." + desc "default", "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators." + desc "check", "Verify the system commands directories have mode 0755 or less permissive: /bin /sbin @@ -32,21 +45,21 @@ '{}' \\; If any directories are found to be group-writable or world-writable, this is a -finding. " - desc 'fix', "Configure the system commands directories to be protected from unauthorized access. Run the +finding." + desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin -/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\; " +/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000258-GPOS-00099 ' - tag gid: 'V-238344 ' - tag rid: 'SV-238344r654207_rule ' - tag stig_id: 'UBTU-20-010423 ' - tag fix_id: 'F-41513r654206_fix ' - tag cci: ['CCI-001495'] - tag nist: ['AU-9'] + tag severity: "medium " + tag gtitle: "SRG-OS-000258-GPOS-00099 " + tag gid: "V-238344 " + tag rid: "SV-238344r654207_rule " + tag stig_id: "UBTU-20-010423 " + tag fix_id: "F-41513r654206_fix " + tag cci: ["CCI-001495"] + tag nist: ["AU-9"] system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] @@ -72,4 +85,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb index 67aa5bf..1f70ba5 100644 --- a/controls/SV-238345.rb +++ b/controls/SV-238345.rb @@ -1,4 +1,4 @@ -control 'SV-238345' do +control "SV-238345" do title "The Ubuntu operating system must have directories that contain system commands owned by root. " desc "Protecting audit information also includes identifying and protecting the tools used to @@ -13,8 +13,21 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and -report generators. " - desc 'check', "Verify the system commands directories are owned by root: +report generators." + desc "default", "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators." + desc "check", "Verify the system commands directories are owned by root: /bin /sbin @@ -31,21 +44,21 @@ -type d -exec stat -c \"%n %U\" '{}' \\; If any system commands directories are returned, this is -a finding. " - desc 'fix', "Configure the system commands directories to be protected from unauthorized access. Run the +a finding." + desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin -/usr/local/sbin ! -user root -type d -exec chown root '{}' \\; " +/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000258-GPOS-00099 ' - tag gid: 'V-238345 ' - tag rid: 'SV-238345r654210_rule ' - tag stig_id: 'UBTU-20-010424 ' - tag fix_id: 'F-41514r654209_fix ' - tag cci: ['CCI-001495'] - tag nist: ['AU-9'] + tag severity: "medium " + tag gtitle: "SRG-OS-000258-GPOS-00099 " + tag gid: "V-238345 " + tag rid: "SV-238345r654210_rule " + tag stig_id: "UBTU-20-010424 " + tag fix_id: "F-41514r654209_fix " + tag cci: ["CCI-001495"] + tag nist: ["AU-9"] system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] @@ -71,4 +84,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb index 51fb94a..473e21a 100644 --- a/controls/SV-238346.rb +++ b/controls/SV-238346.rb @@ -1,4 +1,4 @@ -control 'SV-238346' do +control "SV-238346" do title "The Ubuntu operating system must have directories that contain system commands group-owned by root. " desc "Protecting audit information also includes identifying and protecting the tools used to @@ -13,8 +13,21 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and -report generators. " - desc 'check', "Verify the system commands directories are group-owned by root: +report generators." + desc "default", "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators." + desc "check", "Verify the system commands directories are group-owned by root: /bin /sbin @@ -32,21 +45,22 @@ If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a -finding. " - desc 'fix', "Configure the system commands directories to be protected from unauthorized access. Run the +finding." + desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin -/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\; " +/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000258-GPOS-00099 ' - tag gid: 'V-238346 ' - tag rid: 'SV-238346r654213_rule ' - tag stig_id: 'UBTU-20-010425 ' - tag fix_id: 'F-41515r654212_fix ' - tag cci: ['CCI-001495'] - tag nist: ['AU-9'] + tag severity: "medium " + tag gtitle: "SRG-OS-000258-GPOS-00099 " + tag gid: "V-238346 " + tag rid: "SV-238346r654213_rule " + tag stig_id: "UBTU-20-010425 " + tag fix_id: "F-41515r654212_fix " + tag cci: ["CCI-001495"] + tag nist: ["AU-9"] + # CHECK system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] @@ -72,4 +86,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238347.rb b/controls/SV-238347.rb index b160b87..09156e5 100644 --- a/controls/SV-238347.rb +++ b/controls/SV-238347.rb @@ -1,5 +1,5 @@ -control 'SV-238347' do - title 'The Ubuntu operating system library files must have mode 0755 or less permissive. ' +control "SV-238347" do + title "The Ubuntu operating system library files must have mode 0755 or less permissive. " desc "If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,8 +9,18 @@ case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", +changes, including upgrades and modifications." + desc "default", "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", and \"/usr/lib\" have mode 0755 or less permissive with the following command: $ sudo find @@ -19,20 +29,20 @@ /usr/lib64/pkcs11-spy.so If any files are found to be group-writable or -world-writable, this is a finding. " - desc 'fix', "Configure the library files to be protected from unauthorized access. Run the following +world-writable, this is a finding." + desc "fix", "Configure the library files to be protected from unauthorized access. Run the following command: -$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\; " +$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238347 ' - tag rid: 'SV-238347r654216_rule ' - tag stig_id: 'UBTU-20-010426 ' - tag fix_id: 'F-41516r654215_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238347 " + tag rid: "SV-238347r654216_rule " + tag stig_id: "UBTU-20-010426 " + tag fix_id: "F-41516r654215_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] library_files = if os.arch == 'x86_64' command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split("\n").entries @@ -52,4 +62,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238348.rb b/controls/SV-238348.rb index 00cb272..f2af5b6 100644 --- a/controls/SV-238348.rb +++ b/controls/SV-238348.rb @@ -1,5 +1,5 @@ -control 'SV-238348' do - title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. ' +control "SV-238348" do + title "The Ubuntu operating system library directories must have mode 0755 or less permissive. " desc "If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,29 +9,39 @@ case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have +changes, including upgrades and modifications." + desc "default", "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have mode 0755 or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\; If any of the aforementioned directories are -found to be group-writable or world-writable, this is a finding. " - desc 'fix', "Configure the shared library directories to be protected from unauthorized access. Run the +found to be group-writable or world-writable, this is a finding." + desc "fix", "Configure the shared library directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' -\\; " +\\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238348 ' - tag rid: 'SV-238348r654219_rule ' - tag stig_id: 'UBTU-20-010427 ' - tag fix_id: 'F-41517r654218_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238348 " + tag rid: "SV-238348r654219_rule " + tag stig_id: "UBTU-20-010427 " + tag fix_id: "F-41517r654218_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] library_dirs = if os.arch == 'x86_64' command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split("\n").entries @@ -51,4 +61,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238349.rb b/controls/SV-238349.rb index 82b8e7a..6361b41 100644 --- a/controls/SV-238349.rb +++ b/controls/SV-238349.rb @@ -1,5 +1,5 @@ -control 'SV-238349' do - title 'The Ubuntu operating system library files must be owned by root. ' +control "SV-238349" do + title "The Ubuntu operating system library files must be owned by root. " desc "If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,29 +9,39 @@ case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", +changes, including upgrades and modifications." + desc "default", "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", and \"/usr/lib\" are owned by root with the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\; If any system-wide library file is -returned, this is a finding. " - desc 'fix', "Configure the system library files to be protected from unauthorized access. Run the +returned, this is a finding." + desc "fix", "Configure the system library files to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root -'{}' \\; " +'{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238349 ' - tag rid: 'SV-238349r654222_rule ' - tag stig_id: 'UBTU-20-010428 ' - tag fix_id: 'F-41518r654221_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238349 " + tag rid: "SV-238349r654222_rule " + tag stig_id: "UBTU-20-010428 " + tag fix_id: "F-41518r654221_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] library_files = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type f').stdout.strip.split("\n").entries @@ -51,4 +61,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238350.rb b/controls/SV-238350.rb index e2e4958..4de5820 100644 --- a/controls/SV-238350.rb +++ b/controls/SV-238350.rb @@ -1,5 +1,5 @@ -control 'SV-238350' do - title 'The Ubuntu operating system library directories must be owned by root. ' +control "SV-238350" do + title "The Ubuntu operating system library directories must be owned by root. " desc "If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,29 +9,39 @@ case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are +changes, including upgrades and modifications." + desc "default", "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are owned by root with the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec stat -c \"%n %U\" '{}' \\; If any system-wide library directory is returned, this is a -finding. " - desc 'fix', "Configure the library files and their respective parent directories to be protected from +finding." + desc "fix", "Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -user -root -type d -exec chown root '{}' \\; " +root -type d -exec chown root '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238350 ' - tag rid: 'SV-238350r654225_rule ' - tag stig_id: 'UBTU-20-010429 ' - tag fix_id: 'F-41519r654224_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238350 " + tag rid: "SV-238350r654225_rule " + tag stig_id: "UBTU-20-010429 " + tag fix_id: "F-41519r654224_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] library_dirs = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type d').stdout.strip.split("\n").entries @@ -51,4 +61,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238351.rb b/controls/SV-238351.rb index 59483bc..c0df0b7 100644 --- a/controls/SV-238351.rb +++ b/controls/SV-238351.rb @@ -1,5 +1,5 @@ -control 'SV-238351' do - title 'The Ubuntu operating system library files must be group-owned by root or a system account. ' +control "SV-238351" do + title "The Ubuntu operating system library files must be group-owned by root or a system account. " desc "If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,8 +9,18 @@ case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and +changes, including upgrades and modifications." + desc "default", "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and \"/usr/lib\" are group-owned by root, or a required system account, with the following command: @@ -18,21 +28,21 @@ If any system-wide shared library file is returned and is not group-owned by a required -system account, this is a finding. " - desc 'fix', "Configure the system library files to be protected from unauthorized access. Run the +system account, this is a finding." + desc "fix", "Configure the system library files to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a required system account: -$ sudo chgrp root [FILE] " +$ sudo chgrp root [FILE]" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238351 ' - tag rid: 'SV-238351r832962_rule ' - tag stig_id: 'UBTU-20-010430 ' - tag fix_id: 'F-41520r832961_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238351 " + tag rid: "SV-238351r832962_rule " + tag stig_id: "UBTU-20-010430 " + tag fix_id: "F-41520r832961_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] library_files = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type f').stdout.strip.split("\n").entries @@ -52,4 +62,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238352.rb b/controls/SV-238352.rb index b89c6f7..c596f09 100644 --- a/controls/SV-238352.rb +++ b/controls/SV-238352.rb @@ -1,5 +1,5 @@ -control 'SV-238352' do - title 'The Ubuntu operating system library directories must be group-owned by root. ' +control "SV-238352" do + title "The Ubuntu operating system library directories must be group-owned by root. " desc "If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,29 +9,39 @@ case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are +changes, including upgrades and modifications." + desc "default", "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are group-owned by root with the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec stat -c \"%n %G\" '{}' \\; If any system-wide shared library directory is -returned, this is a finding. " - desc 'fix', "Configure the system library directories to be protected from unauthorized access. Run the +returned, this is a finding." + desc "fix", "Configure the system library directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root -'{}' \\; " +'{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238352 ' - tag rid: 'SV-238352r654231_rule ' - tag stig_id: 'UBTU-20-010431 ' - tag fix_id: 'F-41521r654230_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238352 " + tag rid: "SV-238352r654231_rule " + tag stig_id: "UBTU-20-010431 " + tag fix_id: "F-41521r654230_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] library_directories = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type d').stdout.strip.split("\n").entries @@ -51,4 +61,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238353.rb b/controls/SV-238353.rb index dfac375..945ccda 100644 --- a/controls/SV-238353.rb +++ b/controls/SV-238353.rb @@ -1,5 +1,5 @@ -control 'SV-238353' do - title 'The Ubuntu operating system must be configured to preserve log records from failure events. ' +control "SV-238353" do + title "The Ubuntu operating system must be configured to preserve log records from failure events. " desc "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the @@ -7,8 +7,16 @@ Preserving operating system state information helps to facilitate operating system restart and return to the operational mode -of the organization with least disruption to mission/business processes. " - desc 'check', "Verify the log service is configured to collect system failure events. +of the organization with least disruption to mission/business processes." + desc "default", "Failure to a known state can address safety or security in accordance with the +mission/business needs of the organization. Failure to a known secure state helps prevent a +loss of confidentiality, integrity, or availability in the event of a failure of the +information system or a component of the system. + +Preserving operating system state +information helps to facilitate operating system restart and return to the operational mode +of the organization with least disruption to mission/business processes." + desc "check", "Verify the log service is configured to collect system failure events. Check that the log service is installed properly with the following command: @@ -39,8 +47,8 @@ active -If the command above returns \"inactive\", this is a finding. " - desc 'fix', "Configure the log service to collect failure events. +If the command above returns \"inactive\", this is a finding." + desc "fix", "Configure the log service to collect failure events. Install the log service (if the log service is not already installed) with the following command: @@ -51,20 +59,21 @@ Enable the log service with the following command: $ sudo systemctl enable --now -rsyslog " +rsyslog" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000269-GPOS-00103 ' - tag gid: 'V-238353 ' - tag rid: 'SV-238353r654234_rule ' - tag stig_id: 'UBTU-20-010432 ' - tag fix_id: 'F-41522r654233_fix ' - tag cci: ['CCI-001665'] - tag nist: ['SC-24'] + tag severity: "medium " + tag gtitle: "SRG-OS-000269-GPOS-00103 " + tag gid: "V-238353 " + tag rid: "SV-238353r654234_rule " + tag stig_id: "UBTU-20-010432 " + tag fix_id: "F-41522r654233_fix " + tag cci: ["CCI-001665"] + tag nist: ["SC-24"] describe service('rsyslog') do it { should be_installed } it { should be_enabled } it { should be_running } end -end + +end \ No newline at end of file diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb index 5d12836..ba8bf11 100644 --- a/controls/SV-238354.rb +++ b/controls/SV-238354.rb @@ -1,4 +1,4 @@ -control 'SV-238354' do +control "SV-238354" do title "The Ubuntu operating system must have an application firewall installed in order to control remote access methods. " desc "Remote access services, such as those providing remote access to network devices and @@ -15,8 +15,23 @@ activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, -workstations, notebook computers, smartphones, and tablets). " - desc 'check', "Verify that the Uncomplicated Firewall is installed with the following command: +workstations, notebook computers, smartphones, and tablets)." + desc "default", "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated control capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Ubuntu operating system functionality +(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized +activity. Automated control of remote access sessions allows organizations to ensure +ongoing compliance with remote access policies by enforcing connection rules of remote +access applications on a variety of information system components (e.g., servers, +workstations, notebook computers, smartphones, and tablets)." + desc "check", "Verify that the Uncomplicated Firewall is installed with the following command: $ dpkg -l | grep ufw @@ -27,22 +42,23 @@ if another application firewall is installed. If no application firewall is installed, -this is a finding. " - desc 'fix', "Install the Uncomplicated Firewall by using the following command: +this is a finding." + desc "fix", "Install the Uncomplicated Firewall by using the following command: $ sudo apt-get install -ufw " +ufw" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000297-GPOS-00115 ' - tag gid: 'V-238354 ' - tag rid: 'SV-238354r853429_rule ' - tag stig_id: 'UBTU-20-010433 ' - tag fix_id: 'F-41523r654236_fix ' - tag cci: ['CCI-002314'] - tag nist: ['AC-17 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000297-GPOS-00115 " + tag gid: "V-238354 " + tag rid: "SV-238354r853429_rule " + tag stig_id: "UBTU-20-010433 " + tag fix_id: "F-41523r654236_fix " + tag cci: ["CCI-002314"] + tag nist: ["AC-17 (1)"] describe package('ufw') do it { should be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb index 87a98a8..884285e 100644 --- a/controls/SV-238355.rb +++ b/controls/SV-238355.rb @@ -1,5 +1,5 @@ -control 'SV-238355' do - title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ' +control "SV-238355" do + title "The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). " desc "Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. @@ -14,8 +14,23 @@ activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, -workstations, notebook computers, smartphones, and tablets). " - desc 'check', "Verify the Uncomplicated Firewall is enabled on the system by running the following command: +workstations, notebook computers, smartphones, and tablets)." + desc "default", "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated control capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Ubuntu operating system functionality +(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized +activity. Automated control of remote access sessions allows organizations to ensure +ongoing compliance with remote access policies by enforcing connection rules of remote +access applications on a variety of information system components (e.g., servers, +workstations, notebook computers, smartphones, and tablets)." + desc "check", "Verify the Uncomplicated Firewall is enabled on the system by running the following command: $ systemctl is-enabled ufw @@ -35,24 +50,25 @@ System Administrator if another application firewall is installed. If no application -firewall is installed, this is a finding. " - desc 'fix', "Enable the Uncomplicated Firewall by using the following command: +firewall is installed, this is a finding." + desc "fix", "Enable the Uncomplicated Firewall by using the following command: $ sudo systemctl enable ---now ufw.service " +--now ufw.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000297-GPOS-00115 ' - tag gid: 'V-238355 ' - tag rid: 'SV-238355r853430_rule ' - tag stig_id: 'UBTU-20-010434 ' - tag fix_id: 'F-41524r654239_fix ' - tag cci: ['CCI-002314'] - tag nist: ['AC-17 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000297-GPOS-00115 " + tag gid: "V-238355 " + tag rid: "SV-238355r853430_rule " + tag stig_id: "UBTU-20-010434 " + tag fix_id: "F-41524r654239_fix " + tag cci: ["CCI-002314"] + tag nist: ["AC-17 (1)"] describe service('ufw') do it { should be_installed } it { should be_enabled } it { should be_running } end -end + +end \ No newline at end of file diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index f37dbc7..7470c7b 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -1,4 +1,4 @@ -control 'SV-238356' do +control "SV-238356" do title "The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated @@ -15,8 +15,20 @@ Organizations should consider endpoints that may not have regular access to the authoritative time server -(e.g., mobile, teleworking, and tactical endpoints). " - desc 'check', "If the system is not networked, this requirement is Not Applicable. +(e.g., mobile, teleworking, and tactical endpoints)." + desc "default", "Inaccurate time stamps make it more difficult to correlate events and can lead to an +inaccurate analysis. Determining the correct time a particular event occurred on a system is +critical when conducting forensic analysis and investigating system events. Sources +outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing +internal information system clocks provides uniformity of time stamps for information +systems with multiple system clocks and systems connected over a network. + +Organizations +should consider endpoints that may not have regular access to the authoritative time server +(e.g., mobile, teleworking, and tactical endpoints)." + desc "check", "If the system is not networked, this requirement is Not Applicable. The system clock must be configured to compare the system clock at least every 24 hours to the authoritative time @@ -44,8 +56,8 @@ If the parameter \"server\" is not set, is not set to an authoritative DoD time source, or is -commented out, this is a finding. " - desc 'fix', "If the system is not networked, this requirement is Not Applicable. +commented out, this is a finding." + desc "fix", "If the system is not networked, this requirement is Not Applicable. To configure the system clock to compare the system clock at least every 24 hours to the authoritative time source, @@ -59,16 +71,16 @@ \"server\" was updated, the service must be restarted using the following command: $ sudo -systemctl restart chrony.service " +systemctl restart chrony.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000355-GPOS-00143 ' - tag gid: 'V-238356 ' - tag rid: 'SV-238356r853431_rule ' - tag stig_id: 'UBTU-20-010435 ' - tag fix_id: 'F-41525r808491_fix ' - tag cci: ['CCI-001891'] - tag nist: ['AU-8 (1) (a)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000355-GPOS-00143 " + tag gid: "V-238356 " + tag rid: "SV-238356r853431_rule " + tag stig_id: "UBTU-20-010435 " + tag fix_id: "F-41525r808491_fix " + tag cci: ["CCI-001891"] + tag nist: ["AU-8 (1) (a)"] is_system_networked = input('is_system_networked') @@ -98,4 +110,5 @@ skip 'This control is Not Applicable as the system is not networked' end end -end + +end \ No newline at end of file diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 1862559..8673c63 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -1,4 +1,4 @@ -control 'SV-238357' do +control "SV-238357" do title "The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. " desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an @@ -15,8 +15,23 @@ endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the -time difference. " - desc 'check', "Verify the operating system synchronizes internal system clocks to the authoritative time +time difference." + desc "default", "Inaccurate time stamps make it more difficult to correlate events and can lead to an +inaccurate analysis. Determining the correct time a particular event occurred on a system is +critical when conducting forensic analysis and investigating system events. + + +Synchronizing internal information system clocks provides uniformity of time stamps for +information systems with multiple system clocks and systems connected over a network. +Organizations should consider setting time periods for different types of systems (e.g., +financial, legal, or mission-critical systems). + +Organizations should also consider +endpoints that may not have regular access to the authoritative time server (e.g., mobile, +teleworking, and tactical endpoints). This requirement is related to the comparison done +every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the +time difference." + desc "check", "Verify the operating system synchronizes internal system clocks to the authoritative time source when the time difference is greater than one second. Check the value of \"makestep\" by @@ -27,8 +42,8 @@ makestep 1 -1 -If the makestep option is commented out or is not set to \"1 -1\", this is a finding. " - desc 'fix', "Configure chrony to synchronize the internal system clocks to the authoritative source when +If the makestep option is commented out or is not set to \"1 -1\", this is a finding." + desc "fix", "Configure chrony to synchronize the internal system clocks to the authoritative source when the time difference is greater than one second by doing the following: Edit the @@ -39,16 +54,16 @@ Restart the chrony service: $ -sudo systemctl restart chrony.service " +sudo systemctl restart chrony.service" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000356-GPOS-00144 ' - tag gid: 'V-238357 ' - tag rid: 'SV-238357r853432_rule ' - tag stig_id: 'UBTU-20-010436 ' - tag fix_id: 'F-41526r654245_fix ' - tag cci: ['CCI-002046'] - tag nist: ['AU-8 (1) (b)'] + tag severity: "low " + tag gtitle: "SRG-OS-000356-GPOS-00144 " + tag gid: "V-238357 " + tag rid: "SV-238357r853432_rule " + tag stig_id: "UBTU-20-010436 " + tag fix_id: "F-41526r654245_fix " + tag cci: ["CCI-002046"] + tag nist: ["AU-8 (1) (b)"] chrony_file_path = input('chrony_config_file') chrony_file = file(chrony_file_path) @@ -64,4 +79,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb index fc28b81..defdd9f 100644 --- a/controls/SV-238358.rb +++ b/controls/SV-238358.rb @@ -1,4 +1,4 @@ -control 'SV-238358' do +control "SV-238358" do title "The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper " @@ -10,8 +10,17 @@ Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or -monitoring system trap when there is an unauthorized modification of a configuration item. " - desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System +monitoring system trap when there is an unauthorized modification of a configuration item." + desc "default", "Unauthorized changes to the baseline configuration could make the system vulnerable to +various attacks or allow unauthorized access to the operating system. Changes to operating +system configurations can have unintended side effects, some of which may be relevant to +security. + +Detecting such changes and providing an automated response can help avoid +unintended, negative consequences that could ultimately affect the security state of the +operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or +monitoring system trap when there is an unauthorized modification of a configuration item." + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator when anomalies in the operation of any security functions are discovered with the following command: @@ -26,24 +35,25 @@ If SILENTREPORTS is set to \"yes\", this is a finding. -If SILENTREPORTS is not set to \"no\", this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to notify designated personnel if baseline +If SILENTREPORTS is not set to \"no\", this is a finding." + desc "fix", "Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. Modify the \"SILENTREPORTS\" -parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist. " +parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000363-GPOS-00150 ' - tag gid: 'V-238358 ' - tag rid: 'SV-238358r853433_rule ' - tag stig_id: 'UBTU-20-010437 ' - tag fix_id: 'F-41527r654248_fix ' - tag cci: ['CCI-001744'] - tag nist: ['CM-3 (5)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000363-GPOS-00150 " + tag gid: "V-238358 " + tag rid: "SV-238358r853433_rule " + tag stig_id: "UBTU-20-010437 " + tag fix_id: "F-41527r654248_fix " + tag cci: ["CCI-001744"] + tag nist: ["CM-3 (5)"] describe file('/etc/default/aide') do it { should exist } its('content') { should match '^SILENTREPORTS=no$' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index bab5d01..f18e113 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -1,4 +1,4 @@ -control 'SV-238359' do +control "SV-238359" do title "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is @@ -17,8 +17,23 @@ vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be -from an approved CA. " - desc 'check', "Verify that APT is configured to prevent the installation of patches, service packs, device +from an approved CA." + desc "default", "Changes to any software components can have significant effects on the overall security of +the operating system. This requirement ensures the software has not been tampered with and +that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device +drivers, or operating system components must be signed with a certificate recognized and +approved by the organization. + +Verifying the authenticity of the software prior to +installation validates the integrity of the patch or upgrade received from a vendor. This +ensures the software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The operating system +should not have to verify the software again. This requirement does not mandate DoD +certificates for this purpose; however, the certificate used to verify the software must be +from an approved CA." + desc "check", "Verify that APT is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. @@ -32,8 +47,8 @@ If any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\", -this is a finding. " - desc 'fix', "Configure APT to prevent the installation of patches, service packs, device drivers, or +this is a finding." + desc "fix", "Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. @@ -43,16 +58,16 @@ \"AllowUnauthenticated\" variable to \"false\": APT::Get::AllowUnauthenticated -\"false\"; " +\"false\";" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000366-GPOS-00153 ' - tag gid: 'V-238359 ' - tag rid: 'SV-238359r853434_rule ' - tag stig_id: 'UBTU-20-010438 ' - tag fix_id: 'F-41528r654251_fix ' - tag cci: ['CCI-001749'] - tag nist: ['CM-5 (3)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000366-GPOS-00153 " + tag gid: "V-238359 " + tag rid: "SV-238359r853434_rule " + tag stig_id: "UBTU-20-010438 " + tag fix_id: "F-41528r654251_fix " + tag cci: ["CCI-001749"] + tag nist: ["CM-5 (3)"] describe directory('/etc/apt/apt.conf.d') do it { should exist } @@ -72,4 +87,5 @@ end end end -end + +end \ No newline at end of file diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb index 17c5daa..ed25b41 100644 --- a/controls/SV-238360.rb +++ b/controls/SV-238360.rb @@ -1,5 +1,5 @@ -control 'SV-238360' do - title 'The Ubuntu operating system must be configured to use AppArmor. ' +control "SV-238360" do + title "The Ubuntu operating system must be configured to use AppArmor. " desc "Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes @@ -15,10 +15,24 @@ this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, -sandboxed environments, or roles). +sandboxed environments, or roles)." + desc "default", "Control of program execution is a mechanism used to prevent execution of unauthorized +programs. Some operating systems may provide a capability that runs counter to the mission or +provides users with functionality that exceeds mission requirements. This includes +functions and services installed at the operating system-level. + +Some of the programs, +installed by default, may be harmful or may not be necessary to support essential +organizational operations (e.g., key missions, functions). Removal of executable +programs is not always possible; therefore, establishing a method of preventing program +execution is critical to maintaining a secure system baseline. - " - desc 'check', "Verify the operating system prevents program execution in accordance with local policies. +Methods for complying with +this requirement include restricting execution of programs in certain environments, while +preventing execution in other environments; or limiting execution of certain program +functionality based on organization-defined criteria (e.g., privileges, subnets, +sandboxed environments, or roles)." + desc "check", "Verify the operating system prevents program execution in accordance with local policies. Check that AppArmor is installed and active by running the following command, @@ -41,8 +55,8 @@ enabled If \"enabled\" is not returned, this is a -finding. " - desc 'fix', "Install \"AppArmor\" (if it is not installed) with the following command: +finding." + desc "fix", "Install \"AppArmor\" (if it is not installed) with the following command: $ sudo apt-get install apparmor @@ -57,21 +71,22 @@ Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. -See the AppArmor documentation for more information on configuring profiles. " +See the AppArmor documentation for more information on configuring profiles." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000368-GPOS-00154 ' - tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155) - tag gid: 'V-238360 ' - tag rid: 'SV-238360r853435_rule ' - tag stig_id: 'UBTU-20-010439 ' - tag fix_id: 'F-41529r654254_fix ' - tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235) - tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000368-GPOS-00154 " + tag satisfies: ["SRG-OS-000368-GPOS-00154", "SRG-OS-000312-GPOS-00122", "SRG-OS-000312-GPOS-00123", "SRG-OS-000312-GPOS-00124", "SRG-OS-000324-GPOS-00125", "SRG-OS-000370-GPOS-00155"] + tag gid: "V-238360 " + tag rid: "SV-238360r853435_rule " + tag stig_id: "UBTU-20-010439 " + tag fix_id: "F-41529r654254_fix " + tag cci: ["CCI-001764", "CCI-001774", "CCI-002165", "CCI-002235"] + tag nist: ["CM-7 (2)", "CM-7 (5) (b)", "AC-3 (4)", "AC-6 (10)"] describe service('apparmor') do it { should be_installed } it { should be_enabled } it { should be_running } end -end + +end \ No newline at end of file diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb index a66b814..67c378f 100644 --- a/controls/SV-238361.rb +++ b/controls/SV-238361.rb @@ -1,4 +1,4 @@ -control 'SV-238361' do +control "SV-238361" do title "The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password. " desc "Without providing this capability, an account may be created without a password. @@ -8,13 +8,21 @@ Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to -log on, yet force them to change the password once they have successfully authenticated. " - desc 'check', "Verify a policy exists that ensures when a user account is created, it is created using a method +log on, yet force them to change the password once they have successfully authenticated." + desc "default", "Without providing this capability, an account may be created without a password. +Non-repudiation cannot be guaranteed once an account is created if a user is not forced to +change the temporary password upon initial logon. + +Temporary passwords are typically used +to allow access when new accounts are created or passwords are changed. It is common practice +for administrators to create temporary passwords for user accounts which allow the users to +log on, yet force them to change the password once they have successfully authenticated." + desc "check", "Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login. If a policy does not exist, -this is a finding. " - desc 'fix', "Create a policy that ensures when a user is created, it is created using a method that forces a +this is a finding." + desc "fix", "Create a policy that ensures when a user is created, it is created using a method that forces a user to change their password upon their next login. Below are two examples of how to create a @@ -25,19 +33,20 @@ or -$ sudo passwd -e [UserName] " +$ sudo passwd -e [UserName]" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000380-GPOS-00165 ' - tag gid: 'V-238361 ' - tag rid: 'SV-238361r853436_rule ' - tag stig_id: 'UBTU-20-010440 ' - tag fix_id: 'F-41530r654257_fix ' - tag cci: ['CCI-002041'] - tag nist: ['IA-5 (1) (f)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000380-GPOS-00165 " + tag gid: "V-238361 " + tag rid: "SV-238361r853436_rule " + tag stig_id: "UBTU-20-010440 " + tag fix_id: "F-41530r654257_fix " + tag cci: ["CCI-002041"] + tag nist: ["IA-5 (1) (f)"] describe 'Manual verification required' do skip 'Manually verify if a policy exists to ensure that a method exists to force temporary users to change their password upon next login' end -end + +end \ No newline at end of file diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 7e44d9b..8e03e90 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -1,9 +1,11 @@ -control 'SV-238362' do +control "SV-238362" do title "The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. " desc "If cached authentication information is out-of-date, the validity of the authentication -information may be questionable. " - desc 'check', "If smart card authentication is not being used on the system, this s Not Applicable. +information may be questionable." + desc "default", "If cached authentication information is out-of-date, the validity of the authentication +information may be questionable." + desc "check", "If smart card authentication is not being used on the system, this s Not Applicable. Verify that PAM prohibits the use of cached authentications after one day with the following @@ -16,8 +18,8 @@ If \"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or -in a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding. " - desc 'fix', "Configure PAM to prohibit the use of cached authentications after one day. Add or change the +in a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding." + desc "fix", "Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\": @@ -25,16 +27,16 @@ Note: It is valid for this configuration to be in a file with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\" -directory instead of the \"/etc/sssd/sssd.conf\" file. " +directory instead of the \"/etc/sssd/sssd.conf\" file." impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000383-GPOS-00166 ' - tag gid: 'V-238362 ' - tag rid: 'SV-238362r853437_rule ' - tag stig_id: 'UBTU-20-010441 ' - tag fix_id: 'F-41531r654260_fix ' - tag cci: ['CCI-002007'] - tag nist: ['IA-5 (13)'] + tag severity: "low " + tag gtitle: "SRG-OS-000383-GPOS-00166 " + tag gid: "V-238362 " + tag rid: "SV-238362r853437_rule " + tag stig_id: "UBTU-20-010441 " + tag fix_id: "F-41531r654260_fix " + tag cci: ["CCI-002007"] + tag nist: ["IA-5 (13)"] config_file = input('sssd_conf_path') config_file_exists = file(config_file).exist? @@ -49,4 +51,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 44d2cbf..36bb954 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -1,4 +1,4 @@ -control 'SV-238363' do +control "SV-238363" do title "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality @@ -7,17 +7,19 @@ desc "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides -assurance they have been tested and validated. - - " - desc 'check', "Verify the system is configured to run in FIPS mode with the following command: +assurance they have been tested and validated." + desc "default", "Use of weak or untested encryption algorithms undermines the purposes of utilizing +encryption to protect data. The operating system must implement cryptographic modules +adhering to the higher standards approved by the federal government since this provides +assurance they have been tested and validated." + desc "check", "Verify the system is configured to run in FIPS mode with the following command: $ grep -i 1 /proc/sys/crypto/fips_enabled 1 -If a value of \"1\" is not returned, this is a finding. " - desc 'fix', "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the +If a value of \"1\" is not returned, this is a finding." + desc "fix", "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the Ubuntu operating systems install. Enabling a FIPS mode on a pre-existing system involves a @@ -26,17 +28,17 @@ A subscription to the \"Ubuntu Advantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and -enable FIPS. " +enable FIPS." impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000396-GPOS-00176 ' - tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223) - tag gid: 'V-238363 ' - tag rid: 'SV-238363r853438_rule ' - tag stig_id: 'UBTU-20-010442 ' - tag fix_id: 'F-41532r654263_fix ' - tag cci: ['CCI-002450'] - tag nist: ['SC-13 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000396-GPOS-00176 " + tag satisfies: ["SRG-OS-000396-GPOS-00176", "SRG-OS-000478-GPOS-00223"] + tag gid: "V-238363 " + tag rid: "SV-238363r853438_rule " + tag stig_id: "UBTU-20-010442 " + tag fix_id: "F-41532r654263_fix " + tag cci: ["CCI-002450"] + tag nist: ["SC-13 b"] config_file = input('fips_config_file') config_file_exists = file(config_file).exist? @@ -51,4 +53,5 @@ it { should be true } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb index 88b59e9..1f5b777 100644 --- a/controls/SV-238364.rb +++ b/controls/SV-238364.rb @@ -1,4 +1,4 @@ -control 'SV-238364' do +control "SV-238364" do title "The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. " desc "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by @@ -9,8 +9,17 @@ The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, -the use of SSL/TLS certificates. " - desc 'check', "Verify the directory containing the root certificates for the Ubuntu operating system +the use of SSL/TLS certificates." + desc "default", "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by +organizations or individuals that seek to compromise DoD systems or by organizations with +insufficient security controls. If the CA used for verifying the certificate is not a +DoD-approved CA, trust of this CA has not been established. + +The DoD will only accept +PKI-certificates obtained from a DoD-approved internal or external certificate +authority. Reliance on CAs for the establishment of secure sessions includes, for example, +the use of SSL/TLS certificates." + desc "check", "Verify the directory containing the root certificates for the Ubuntu operating system (/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate authorities. @@ -22,8 +31,8 @@ -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; done -If any entry is found, this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to only allow the use of DoD PKI-established +If any entry is found, this is a finding." + desc "fix", "Configure the Ubuntu operating system to only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. @@ -40,16 +49,16 @@ Update the \"/etc/ssl/certs\" directory with the following command: $ sudo -update-ca-certificates " +update-ca-certificates" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000403-GPOS-00182 ' - tag gid: 'V-238364 ' - tag rid: 'SV-238364r860824_rule ' - tag stig_id: 'UBTU-20-010443 ' - tag fix_id: 'F-41533r860823_fix ' - tag cci: ['CCI-002470'] - tag nist: ['SC-23 (5)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000403-GPOS-00182 " + tag gid: "V-238364 " + tag rid: "SV-238364r860824_rule " + tag stig_id: "UBTU-20-010443 " + tag fix_id: "F-41533r860823_fix " + tag cci: ["CCI-002470"] + tag nist: ["SC-23 (5)"] allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex') find_command = ''" @@ -60,4 +69,5 @@ describe command(find_command) do its('stdout') { should cmp '' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb index 6f71a32..3c1c10b 100644 --- a/controls/SV-238365.rb +++ b/controls/SV-238365.rb @@ -1,4 +1,4 @@ -control 'SV-238365' do +control "SV-238365" do title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. " desc "Operating systems handling data requiring \"data at rest\" protections must employ @@ -9,8 +9,17 @@ the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk -encryption) or encrypt specific data structures (e.g., files, records, or fields). " - desc 'check', "If there is a documented and approved reason for not having data-at-rest encryption, this +encryption) or encrypt specific data structures (e.g., files, records, or fields)." + desc "default", "Operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. + +Selection of a cryptographic mechanism is based on the need to protect +the integrity of organizational information. The strength of the mechanism is commensurate +with the security category and/or classification of the information. Organizations have +the flexibility to either encrypt all information on storage devices (i.e., full disk +encryption) or encrypt specific data structures (e.g., files, records, or fields)." + desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify the Ubuntu operating system prevents unauthorized @@ -49,23 +58,24 @@ disk partition present must have an entry in the file. If any partitions other than the boot -partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " - desc 'fix', "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. +partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding." + desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Note: Encrypting a partition in an already-installed system is more difficult because it -will need to be resized and existing partitions changed. " +will need to be resized and existing partitions changed." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000404-GPOS-00183 ' - tag gid: 'V-238365 ' - tag rid: 'SV-238365r853442_rule ' - tag stig_id: 'UBTU-20-010444 ' - tag fix_id: 'F-41534r654269_fix ' - tag cci: ['CCI-002475'] - tag nist: ['SC-28 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000404-GPOS-00183 " + tag gid: "V-238365 " + tag rid: "SV-238365r853442_rule " + tag stig_id: "UBTU-20-010444 " + tag fix_id: "F-41534r654269_fix " + tag cci: ["CCI-002475"] + tag nist: ["SC-28 (1)"] describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' end -end + +end \ No newline at end of file diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb index 28e309c..cf23302 100644 --- a/controls/SV-238366.rb +++ b/controls/SV-238366.rb @@ -1,4 +1,4 @@ -control 'SV-238366' do +control "SV-238366" do title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. " desc "Operating systems handling data requiring \"data at rest\" protections must employ @@ -9,8 +9,17 @@ the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk -encryption) or encrypt specific data structures (e.g., files, records, or fields). " - desc 'check', "If there is a documented and approved reason for not having data-at-rest encryption, this +encryption) or encrypt specific data structures (e.g., files, records, or fields)." + desc "default", "Operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. + +Selection of a cryptographic mechanism is based on the need to protect +the integrity of organizational information. The strength of the mechanism is commensurate +with the security category and/or classification of the information. Organizations have +the flexibility to either encrypt all information on storage devices (i.e., full disk +encryption) or encrypt specific data structures (e.g., files, records, or fields)." + desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify the Ubuntu operating system prevents unauthorized @@ -49,23 +58,24 @@ disk partition present must have an entry in the file. If any partitions other than the boot -partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " - desc 'fix', "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. +partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding." + desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Note: Encrypting a partition in an already-installed system is more difficult because it -will need to be resized and existing partitions changed. " +will need to be resized and existing partitions changed." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000405-GPOS-00184 ' - tag gid: 'V-238366 ' - tag rid: 'SV-238366r853443_rule ' - tag stig_id: 'UBTU-20-010445 ' - tag fix_id: 'F-41535r654272_fix ' - tag cci: ['CCI-002476'] - tag nist: ['SC-28 (1)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000405-GPOS-00184 " + tag gid: "V-238366 " + tag rid: "SV-238366r853443_rule " + tag stig_id: "UBTU-20-010445 " + tag fix_id: "F-41535r654272_fix " + tag cci: ["CCI-002476"] + tag nist: ["SC-28 (1)"] describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' end -end + +end \ No newline at end of file diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb index 43a6a10..2f0d7bf 100644 --- a/controls/SV-238367.rb +++ b/controls/SV-238367.rb @@ -1,4 +1,4 @@ -control 'SV-238367' do +control "SV-238367" do title "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. " desc "Denial of service (DoS) is a condition when a resource is not available for legitimate users. @@ -11,8 +11,19 @@ solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service -redundancy, may reduce the susceptibility to some DoS attacks. " - desc 'check', "Verify an application firewall is configured to rate limit any connection to the system. +redundancy, may reduce the susceptibility to some DoS attacks." + desc "default", "Denial of service (DoS) is a condition when a resource is not available for legitimate users. +When this occurs, the organization either cannot accomplish its mission or must operate at +degraded capacity. + +This requirement addresses the configuration of the operating system +to mitigate the impact of DoS attacks that have occurred or are ongoing on system +availability. For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exist to limit or, in some +cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing +memory partitions). Employing increased capacity and bandwidth, combined with service +redundancy, may reduce the susceptibility to some DoS attacks." + desc "check", "Verify an application firewall is configured to rate limit any connection to the system. Check all the services listening to the ports with the following command: @@ -38,8 +49,8 @@ 22/tcp (v6) LIMIT Anywhere (v6) If -any port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding. " - desc 'fix', "Configure the application firewall to protect against or limit the effects of DoS attacks by +any port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding." + desc "fix", "Configure the application firewall to protect against or limit the effects of DoS attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces. @@ -62,18 +73,19 @@ be done on an interface. An example of adding a rate-limit on the eth0 interface follows: $ -sudo ufw limit in on eth0 " +sudo ufw limit in on eth0" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000420-GPOS-00186 ' - tag gid: 'V-238367 ' - tag rid: 'SV-238367r853444_rule ' - tag stig_id: 'UBTU-20-010446 ' - tag fix_id: 'F-41536r654275_fix ' - tag cci: ['CCI-002385'] - tag nist: ['SC-5 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000420-GPOS-00186 " + tag gid: "V-238367 " + tag rid: "SV-238367r853444_rule " + tag stig_id: "UBTU-20-010446 " + tag fix_id: "F-41536r654275_fix " + tag cci: ["CCI-002385"] + tag nist: ["SC-5 a"] describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do skip 'Status listings checks must be preformed manually' end -end + +end \ No newline at end of file diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 8e49e32..6db0270 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -1,4 +1,4 @@ -control 'SV-238368' do +control "SV-238368" do title "The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution. " desc "Some adversaries launch attacks with the intent of executing code in non-executable regions @@ -8,8 +8,16 @@ software-enforced with hardware providing the greater strength of mechanism. Examples -of attacks are buffer overflow attacks. " - desc 'check', "Verify the NX (no-execution) bit flag is set on the system with the following commands: +of attacks are buffer overflow attacks." + desc "default", "Some adversaries launch attacks with the intent of executing code in non-executable regions +of memory or in memory locations that are prohibited. Security safeguards employed to +protect memory include, for example, data execution prevention and address space layout +randomization. Data execution prevention safeguards can either be hardware-enforced or +software-enforced with hardware providing the greater strength of mechanism. + +Examples +of attacks are buffer overflow attacks." + desc "check", "Verify the NX (no-execution) bit flag is set on the system with the following commands: $ dmesg | grep -i \"execute disable\" @@ -24,21 +32,21 @@ de pse tsc ms nx rdtscp lm constant_tsc If \"flags\" does not contain the \"nx\" flag, this is a -finding. " - desc 'fix', "Configure the Ubuntu operating system to enable NX. +finding." + desc "fix", "Configure the Ubuntu operating system to enable NX. If \"nx\" is not showing up in \"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No -Execution bit, set it to \"enable\". " +Execution bit, set it to \"enable\"." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000433-GPOS-00192 ' - tag gid: 'V-238368 ' - tag rid: 'SV-238368r853445_rule ' - tag stig_id: 'UBTU-20-010447 ' - tag fix_id: 'F-41537r654278_fix ' - tag cci: ['CCI-002824'] - tag nist: ['SI-16'] + tag severity: "medium " + tag gtitle: "SRG-OS-000433-GPOS-00192 " + tag gid: "V-238368 " + tag rid: "SV-238368r853445_rule " + tag stig_id: "UBTU-20-010447 " + tag fix_id: "F-41537r654278_fix " + tag cci: ["CCI-002824"] + tag nist: ["SI-16"] options = { assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, @@ -51,4 +59,5 @@ it { should include 'nx' } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb index 5f6dcd4..8bfc537 100644 --- a/controls/SV-238369.rb +++ b/controls/SV-238369.rb @@ -1,4 +1,4 @@ -control 'SV-238369' do +control "SV-238369" do title "The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution. " desc "Some adversaries launch attacks with the intent of executing code in non-executable regions @@ -8,8 +8,16 @@ software-enforced with hardware providing the greater strength of mechanism. Examples -of attacks are buffer overflow attacks. " - desc 'check', "Verify the Ubuntu operating system implements address space layout randomization (ASLR) +of attacks are buffer overflow attacks." + desc "default", "Some adversaries launch attacks with the intent of executing code in non-executable regions +of memory or in memory locations that are prohibited. Security safeguards employed to +protect memory include, for example, data execution prevention and address space layout +randomization. Data execution prevention safeguards can either be hardware-enforced or +software-enforced with hardware providing the greater strength of mechanism. + +Examples +of attacks are buffer overflow attacks." + desc "check", "Verify the Ubuntu operating system implements address space layout randomization (ASLR) with the following command: $ sudo sysctl kernel.randomize_va_space @@ -34,8 +42,8 @@ $ sudo egrep -R \"^kernel.randomize_va_space=[^2]\" /etc/sysctl.conf /etc/sysctl.d -If this returns a result, this is a finding. " - desc 'fix', "Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any +If this returns a result, this is a finding." + desc "fix", "Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any file located in the \"/etc/sysctl.d/\" directory. After the line has been removed, the @@ -43,18 +51,19 @@ changes will take effect. Run the following command to reload all of the kernel system configuration files: -$ sudo sysctl --system " +$ sudo sysctl --system" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000433-GPOS-00193 ' - tag gid: 'V-238369 ' - tag rid: 'SV-238369r853446_rule ' - tag stig_id: 'UBTU-20-010448 ' - tag fix_id: 'F-41538r654281_fix ' - tag cci: ['CCI-002824'] - tag nist: ['SI-16'] + tag severity: "medium " + tag gtitle: "SRG-OS-000433-GPOS-00193 " + tag gid: "V-238369 " + tag rid: "SV-238369r853446_rule " + tag stig_id: "UBTU-20-010448 " + tag fix_id: "F-41538r654281_fix " + tag cci: ["CCI-002824"] + tag nist: ["SI-16"] describe kernel_parameter('kernel.randomize_va_space') do its('value') { should cmp 2 } end -end + +end \ No newline at end of file diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index d1da2f9..c5b5835 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -1,11 +1,15 @@ -control 'SV-238370' do +control "SV-238370" do title "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all software components after updated versions have been installed. " desc "Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the -information system. " - desc 'check', "Verify is configured to remove all software components after updated versions have been +information system." + desc "default", "Previous versions of software components that are not removed from the information system +after updates have been installed may be exploited by adversaries. Some information +technology products may remove older versions of software automatically from the +information system." + desc "check", "Verify is configured to remove all software components after updated versions have been installed with the following command: $ grep -i remove-unused @@ -17,8 +21,8 @@ If the \"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are -not set to \"true\" or are missing or commented out, this is a finding. " - desc 'fix', "Configure APT to remove all software components after updated versions have been installed. +not set to \"true\" or are missing or commented out, this is a finding." + desc "fix", "Configure APT to remove all software components after updated versions have been installed. Add or updated the following options to the @@ -27,16 +31,16 @@ Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; -Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; " +Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000437-GPOS-00194 ' - tag gid: 'V-238370 ' - tag rid: 'SV-238370r853447_rule ' - tag stig_id: 'UBTU-20-010449 ' - tag fix_id: 'F-41539r654284_fix ' - tag cci: ['CCI-002617'] - tag nist: ['SI-2 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000437-GPOS-00194 " + tag gid: "V-238370 " + tag rid: "SV-238370r853447_rule " + tag stig_id: "UBTU-20-010449 " + tag fix_id: "F-41539r654284_fix " + tag cci: ["CCI-002617"] + tag nist: ["SI-2 (6)"] describe directory('/etc/apt/apt.conf.d') do it { should exist } @@ -46,4 +50,5 @@ it { should match /^\s*([^\s]*::Remove-Unused-Dependencies)\s*\"true\"\s*;$/ } it { should match /^\s*([^\s]*::Remove-Unused-Kernel-Packages)\s*\"true\"\s*;$/ } end -end + +end \ No newline at end of file diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb index 11a8b3b..fb9e779 100644 --- a/controls/SV-238371.rb +++ b/controls/SV-238371.rb @@ -1,4 +1,4 @@ -control 'SV-238371' do +control "SV-238371" do title "The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions. " desc "Without verification of the security functions, security functions may not operate @@ -11,8 +11,19 @@ This requirement applies to the Ubuntu operating system performing security function verification/testing -and/or systems and environments that require this functionality. " - desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the +and/or systems and environments that require this functionality." + desc "default", "Without verification of the security functions, security functions may not operate +correctly and the failure may go unnoticed. Security function is defined as the hardware, +software, and/or firmware of the information system responsible for enforcing the system +security policy and supporting the isolation of code and data on which the protection is +based. Security functionality includes, but is not limited to, establishing system +accounts, configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + +This requirement +applies to the Ubuntu operating system performing security function verification/testing +and/or systems and environments that require this functionality." + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. Check that the AIDE package is installed with @@ -26,21 +37,22 @@ Administrator how file integrity checks are performed on the system. If no application is -installed to perform integrity checks, this is a finding. " - desc 'fix', "Install the AIDE package by running the following command: +installed to perform integrity checks, this is a finding." + desc "fix", "Install the AIDE package by running the following command: -$ sudo apt-get install aide " +$ sudo apt-get install aide" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000445-GPOS-00199 ' - tag gid: 'V-238371 ' - tag rid: 'SV-238371r853448_rule ' - tag stig_id: 'UBTU-20-010450 ' - tag fix_id: 'F-41540r654287_fix ' - tag cci: ['CCI-002696'] - tag nist: ['SI-6 a'] + tag severity: "medium " + tag gtitle: "SRG-OS-000445-GPOS-00199 " + tag gid: "V-238371 " + tag rid: "SV-238371r853448_rule " + tag stig_id: "UBTU-20-010450 " + tag fix_id: "F-41540r654287_fix " + tag cci: ["CCI-002696"] + tag nist: ["SI-6 a"] describe package('aide') do it { should be_installed } end -end + +end \ No newline at end of file diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb index ba57f0c..330062f 100644 --- a/controls/SV-238372.rb +++ b/controls/SV-238372.rb @@ -1,4 +1,4 @@ -control 'SV-238372' do +control "SV-238372" do title "The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of @@ -12,8 +12,18 @@ help avoid unintended, negative consequences that could ultimately affect the security state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification -of a configuration item. " - desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System +of a configuration item." + desc "default", "Unauthorized changes to the baseline configuration could make the system vulnerable to +various attacks or allow unauthorized access to the Ubuntu operating system. Changes to +Ubuntu operating system configurations can have unintended side effects, some of which may +be relevant to security. + +Detecting such changes and providing an automated response can +help avoid unintended, negative consequences that could ultimately affect the security +state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be +notified via email and/or monitoring system trap when there is an unauthorized modification +of a configuration item." + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator when anomalies in the operation of any security functions are discovered with the following command: @@ -23,24 +33,25 @@ SILENTREPORTS=no -If SILENTREPORTS is uncommented and set to \"yes\", this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to notify designated personnel if baseline +If SILENTREPORTS is uncommented and set to \"yes\", this is a finding." + desc "fix", "Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. Modify the \"SILENTREPORTS\" -parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist. " +parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000447-GPOS-00201 ' - tag gid: 'V-238372 ' - tag rid: 'SV-238372r853449_rule ' - tag stig_id: 'UBTU-20-010451 ' - tag fix_id: 'F-41541r654290_fix ' - tag cci: ['CCI-002702'] - tag nist: ['SI-6 d'] + tag severity: "medium " + tag gtitle: "SRG-OS-000447-GPOS-00201 " + tag gid: "V-238372 " + tag rid: "SV-238372r853449_rule " + tag stig_id: "UBTU-20-010451 " + tag fix_id: "F-41541r654290_fix " + tag cci: ["CCI-002702"] + tag nist: ["SI-6 d"] describe file('/etc/default/aide') do it { should exist } its('content') { should match '^SILENTREPORTS=no$' } end -end + +end \ No newline at end of file diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index fc0e79a..6f5b9c0 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -1,4 +1,4 @@ -control 'SV-238373' do +control "SV-238373" do title "The Ubuntu operating system must display the date and time of the last successful account logon upon logon. " desc "Configuration settings are the set of parameters that can be changed in hardware, software, @@ -7,8 +7,15 @@ state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, -protocols, services, and remote connections. " - desc 'check', "Verify users are provided with feedback on when account accesses last occurred. +protocols, services, and remote connections." + desc "default", "Configuration settings are the set of parameters that can be changed in hardware, software, +or firmware components of the system that affect the security posture and/or functionality +of the system. Security-related parameters are those parameters impacting the security +state of the system, including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry settings; +account, file, directory permission settings; and settings for functions, ports, +protocols, services, and remote connections." + desc "check", "Verify users are provided with feedback on when account accesses last occurred. Check that \"pam_lastlog\" is used and not silent with the following command: @@ -20,28 +27,29 @@ If \"pam_lastlog\" is missing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present, -this is a finding. " - desc 'fix', "Configure the Ubuntu operating system to provide users with feedback on when account +this is a finding." + desc "fix", "Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/login\". Add the following line to the top of \"/etc/pam.d/login\": session -required pam_lastlog.so showfailed " +required pam_lastlog.so showfailed" impact 0.3 - tag severity: 'low ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-238373 ' - tag rid: 'SV-238373r858539_rule ' - tag stig_id: 'UBTU-20-010453 ' - tag fix_id: 'F-41542r654293_fix ' - tag cci: ['CCI-000052'] - tag nist: ['AC-9'] + tag severity: "low " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238373 " + tag rid: "SV-238373r858539_rule " + tag stig_id: "UBTU-20-010453 " + tag fix_id: "F-41542r654293_fix " + tag cci: ["CCI-000052"] + tag nist: ["AC-9"] describe command('grep pam_lastlog /etc/pam.d/login') do its('exit_status') { should eq 0 } its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } end -end + +end \ No newline at end of file diff --git a/controls/SV-238374.rb b/controls/SV-238374.rb index 086ecf6..6300e50 100644 --- a/controls/SV-238374.rb +++ b/controls/SV-238374.rb @@ -1,9 +1,12 @@ -control 'SV-238374' do - title 'The Ubuntu operating system must have an application firewall enabled. ' +control "SV-238374" do + title "The Ubuntu operating system must have an application firewall enabled. " desc "Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate -over the network. " - desc 'check', "Verify the Uncomplicated Firewall is enabled on the system by running the following command: +over the network." + desc "default", "Firewalls protect computers from network attacks by blocking or limiting access to open +network ports. Application firewalls limit which applications are allowed to communicate +over the network." + desc "check", "Verify the Uncomplicated Firewall is enabled on the system by running the following command: $ systemctl status ufw.service | grep -i \"active:\" @@ -16,8 +19,8 @@ If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed, this -is a finding. " - desc 'fix', "Enable the Uncomplicated Firewall by using the following command: +is a finding." + desc "fix", "Enable the Uncomplicated Firewall by using the following command: $ sudo systemctl enable ufw.service @@ -25,20 +28,21 @@ If the Uncomplicated Firewall is not currently running on the system, start it with the following command: -$ sudo systemctl start ufw.service " +$ sudo systemctl start ufw.service" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000480-GPOS-00232 ' - tag gid: 'V-238374 ' - tag rid: 'SV-238374r654297_rule ' - tag stig_id: 'UBTU-20-010454 ' - tag fix_id: 'F-41543r654296_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00232 " + tag gid: "V-238374 " + tag rid: "SV-238374r654297_rule " + tag stig_id: "UBTU-20-010454 " + tag fix_id: "F-41543r654296_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe service('ufw') do it { should be_installed } it { should be_enabled } it { should be_running } end -end + +end \ No newline at end of file diff --git a/controls/SV-238376.rb b/controls/SV-238376.rb index 5736f99..356f779 100644 --- a/controls/SV-238376.rb +++ b/controls/SV-238376.rb @@ -1,5 +1,5 @@ -control 'SV-238376' do - title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ' +control "SV-238376" do + title "The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. " desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,8 +9,18 @@ in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system commands contained in the following directories have mode 0755 or less +changes, including upgrades and modifications." + desc "default", "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system commands contained in the following directories have mode 0755 or less permissive: /bin @@ -28,21 +38,21 @@ /022 -type f -exec stat -c \"%n %a\" '{}' \\; If any files are found to be group-writable or -world-writable, this is a finding. " - desc 'fix', "Configure the system commands to be protected from unauthorized access. Run the following +world-writable, this is a finding." + desc "fix", "Configure the system commands to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm -/022 -type f -exec chmod 755 '{}' \\; " +/022 -type f -exec chmod 755 '{}' \\;" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238376 ' - tag rid: 'SV-238376r654303_rule ' - tag stig_id: 'UBTU-20-010456 ' - tag fix_id: 'F-41545r654302_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238376 " + tag rid: "SV-238376r654303_rule " + tag stig_id: "UBTU-20-010456 " + tag fix_id: "F-41545r654302_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] @@ -67,4 +77,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238377.rb b/controls/SV-238377.rb index 486d94e..fa02cee 100644 --- a/controls/SV-238377.rb +++ b/controls/SV-238377.rb @@ -1,5 +1,5 @@ -control 'SV-238377' do - title 'The Ubuntu operating system must have system commands owned by root or a system account. ' +control "SV-238377" do + title "The Ubuntu operating system must have system commands owned by root or a system account. " desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -9,8 +9,18 @@ in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system commands contained in the following directories are owned by root, or a +changes, including upgrades and modifications." + desc "default", "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system commands contained in the following directories are owned by root, or a required system account: /bin @@ -28,21 +38,21 @@ '{}' \\; If any system commands are returned and are not owned by a required system account, -this is a finding. " - desc 'fix', "Configure the system commands and their respective parent directories to be protected from +this is a finding." + desc "fix", "Configure the system commands and their respective parent directories to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any system command file not owned by \"root\" or a required system account: -$ sudo chown root [FILE] " +$ sudo chown root [FILE]" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238377 ' - tag rid: 'SV-238377r832968_rule ' - tag stig_id: 'UBTU-20-010457 ' - tag fix_id: 'F-41546r832967_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238377 " + tag rid: "SV-238377r832968_rule " + tag stig_id: "UBTU-20-010457 " + tag fix_id: "F-41546r832967_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] @@ -67,4 +77,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238378.rb b/controls/SV-238378.rb index 53f4177..3b6ba05 100644 --- a/controls/SV-238378.rb +++ b/controls/SV-238378.rb @@ -1,4 +1,4 @@ -control 'SV-238378' do +control "SV-238378" do title "The Ubuntu operating system must have system commands group-owned by root or a system account. " desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, @@ -10,8 +10,18 @@ in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. " - desc 'check', "Verify the system commands contained in the following directories are group-owned by root or +changes, including upgrades and modifications." + desc "default", "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications." + desc "check", "Verify the system commands contained in the following directories are group-owned by root or a required system account: /bin @@ -29,21 +39,21 @@ stat -c \"%n %G\" '{}' \\; If any system commands are returned that are not Set Group ID upon -execution (SGID) files and group-owned by a required system account, this is a finding. " - desc 'fix', "Configure the system commands to be protected from unauthorized access. Run the following +execution (SGID) files and group-owned by a required system account, this is a finding." + desc "fix", "Configure the system commands to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a required system account: -$ sudo chgrp root [FILE] " +$ sudo chgrp root [FILE]" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000259-GPOS-00100 ' - tag gid: 'V-238378 ' - tag rid: 'SV-238378r832971_rule ' - tag stig_id: 'UBTU-20-010458 ' - tag fix_id: 'F-41547r832970_fix ' - tag cci: ['CCI-001499'] - tag nist: ['CM-5 (6)'] + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238378 " + tag rid: "SV-238378r832971_rule " + tag stig_id: "UBTU-20-010458 " + tag fix_id: "F-41547r832970_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] @@ -68,4 +78,5 @@ its('count') { should eq 0 } end end -end + +end \ No newline at end of file diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb index c0c31f3..bd4e1b2 100644 --- a/controls/SV-238379.rb +++ b/controls/SV-238379.rb @@ -1,4 +1,4 @@ -control 'SV-238379' do +control "SV-238379" do title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. " desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the @@ -6,8 +6,14 @@ can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is -taken. " - desc 'check', "Verify the Ubuntu operating system is not configured to reboot the system when +taken." + desc "default", "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the +system. If accidentally pressed, as could happen in the case of a mixed OS environment, this +can create the risk of short-term loss of availability of systems due to unintentional +reboot. In the graphical environment, risk of unintentional reboot from the +Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is +taken." + desc "check", "Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface. Check that the \"logout\" @@ -19,8 +25,8 @@ logout='' If the \"logout\" key is bound to an action, is -commented out, or is missing, this is a finding. " - desc 'fix', "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user +commented out, or is missing, this is a finding." + desc "fix", "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file. Add @@ -33,16 +39,16 @@ Update the dconf settings: -# dconf update " +# dconf update" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-238379 ' - tag rid: 'SV-238379r654312_rule ' - tag stig_id: 'UBTU-20-010459 ' - tag fix_id: 'F-41548r654311_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238379 " + tag rid: "SV-238379r654312_rule " + tag stig_id: "UBTU-20-010459 " + tag fix_id: "F-41548r654311_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] xorg_status = command('which Xorg').exit_status if xorg_status == 0 @@ -54,4 +60,5 @@ skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) end end -end + +end \ No newline at end of file diff --git a/controls/SV-238380.rb b/controls/SV-238380.rb index 3770b91..de35fbe 100644 --- a/controls/SV-238380.rb +++ b/controls/SV-238380.rb @@ -1,10 +1,14 @@ -control 'SV-238380' do - title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ' +control "SV-238380" do + title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. " desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional -reboot. " - desc 'check', "Verify the Ubuntu operating system is not configured to reboot the system when +reboot." + desc "default", "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the +system. If accidentally pressed, as could happen in the case of a mixed OS environment, this +can create the risk of short-term loss of availability of systems due to unintentional +reboot." + desc "check", "Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the \"ctrl-alt-del.target\" (otherwise also known @@ -18,8 +22,8 @@ Active: inactive (dead) If the \"ctrl-alt-del.target\" -is not masked, this is a finding. " - desc 'fix', "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the +is not masked, this is a finding." + desc "fix", "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: $ sudo systemctl disable ctrl-alt-del.target @@ -30,19 +34,20 @@ Reload the daemon to take effect: $ sudo systemctl -daemon-reload " +daemon-reload" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-238380 ' - tag rid: 'SV-238380r832974_rule ' - tag stig_id: 'UBTU-20-010460 ' - tag fix_id: 'F-41549r832973_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238380 " + tag rid: "SV-238380r832974_rule " + tag stig_id: "UBTU-20-010460 " + tag fix_id: "F-41549r832973_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe service('ctrl-alt-del.target') do it { should_not be_running } it { should_not be_enabled } end -end + +end \ No newline at end of file diff --git a/controls/SV-251503.rb b/controls/SV-251503.rb index 565c101..453a37a 100644 --- a/controls/SV-251503.rb +++ b/controls/SV-251503.rb @@ -1,33 +1,37 @@ -control 'SV-251503' do - title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. ' +control "SV-251503" do + title "The Ubuntu operating system must not have accounts configured with blank or null passwords. " desc "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational -environments. " - desc 'check', "Check the \"/etc/shadow\" file for blank passwords with the following command: +environments." + desc "default", "If an account has an empty password, anyone could log on and run commands with the privileges of +that account. Accounts with empty passwords should never be used in operational +environments." + desc "check", "Check the \"/etc/shadow\" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow -If the command returns any results, this is a finding. " - desc 'fix', "Configure all accounts on the system to have a password or lock the account with the following +If the command returns any results, this is a finding." + desc "fix", "Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo -passwd -l [username] " +passwd -l [username]" impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-251503 ' - tag rid: 'SV-251503r808506_rule ' - tag stig_id: 'UBTU-20-010462 ' - tag fix_id: 'F-54892r808505_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-251503 " + tag rid: "SV-251503r808506_rule " + tag stig_id: "UBTU-20-010462 " + tag fix_id: "F-54892r808505_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe command("sudo awk -F: '!$2 {print $1}' /etc/shadow") do its('stdout') { should be_empty } end -end + +end \ No newline at end of file diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index eb7e5d9..8a4940f 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -1,9 +1,12 @@ -control 'SV-251504' do - title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. ' +control "SV-251504" do + title "The Ubuntu operating system must not allow accounts configured with blank or null passwords. " desc "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational -environments. " - desc 'check', "To verify that null passwords cannot be used, run the following command: +environments." + desc "default", "If an account has an empty password, anyone could log on and run commands with the privileges of +that account. Accounts with empty passwords should never be used in operational +environments." + desc "check", "To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/common-password @@ -11,24 +14,25 @@ If this produces any output, it may be possible to log on with accounts with empty passwords. -If null passwords can be used, this is a finding. " - desc 'fix', "If an account is configured for password authentication but does not have an assigned +If null passwords can be used, this is a finding." + desc "fix", "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with -empty passwords. " +empty passwords." impact 0.7 - tag severity: 'high ' - tag gtitle: 'SRG-OS-000480-GPOS-00227 ' - tag gid: 'V-251504 ' - tag rid: 'SV-251504r832977_rule ' - tag stig_id: 'UBTU-20-010463 ' - tag fix_id: 'F-54893r832976_fix ' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-251504 " + tag rid: "SV-251504r832977_rule " + tag stig_id: "UBTU-20-010463 " + tag fix_id: "F-54893r832976_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] describe command('grep nullok /etc/pam.d/common-password') do its('stdout') { should be_empty } end -end + +end \ No newline at end of file diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index a6f24f0..4ad320e 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -1,12 +1,17 @@ -control 'SV-251505' do +control "SV-251505" do title "The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver. " desc "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, -such devices as flash drives, external storage, and printers. " - desc 'check', "Verify that Ubuntu operating system disables ability to load the USB storage kernel +such devices as flash drives, external storage, and printers." + desc "default", "Without authenticating devices, unidentified or unknown devices may be introduced, +thereby facilitating malicious activity. + +Peripherals include, but are not limited to, +such devices as flash drives, external storage, and printers." + desc "check", "Verify that Ubuntu operating system disables ability to load the USB storage kernel module. # grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\" @@ -26,8 +31,8 @@ usb-storage If the command does not return any output, or the line is commented out, this is a -finding. " - desc 'fix', "Configure the Ubuntu operating system to disable using the USB storage kernel module. +finding." + desc "fix", "Configure the Ubuntu operating system to disable using the USB storage kernel module. Create a file under \"/etc/modprobe.d\" to contain the following: @@ -39,16 +44,16 @@ operating system to disable the ability to use USB mass storage devices. # sudo su -c \"echo -blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\" " +blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\"" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000378-GPOS-00163 ' - tag gid: 'V-251505 ' - tag rid: 'SV-251505r853450_rule ' - tag stig_id: 'UBTU-20-010461 ' - tag fix_id: 'F-54894r808511_fix ' - tag cci: ['CCI-001958'] - tag nist: ['IA-3'] + tag severity: "medium " + tag gtitle: "SRG-OS-000378-GPOS-00163 " + tag gid: "V-251505 " + tag rid: "SV-251505r853450_rule " + tag stig_id: "UBTU-20-010461 " + tag fix_id: "F-54894r808511_fix " + tag cci: ["CCI-001958"] + tag nist: ["IA-3"] describe command('grep usb-storage /etc/modprobe.d/* | grep "/bin/true"') do its('stdout') { should_not be_empty } @@ -57,4 +62,5 @@ describe command('grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"') do its('stdout') { should_not be_empty } end -end + +end \ No newline at end of file diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index 79d7e36..9f960e7 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -1,5 +1,5 @@ -control 'SV-252704' do - title 'The Ubuntu operating system must disable all wireless network adapters. ' +control "SV-252704" do + title "The Ubuntu operating system must disable all wireless network adapters. " desc "Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system. @@ -21,8 +21,30 @@ barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only -passing telemetry data, encryption of the data may not be required. " - desc 'check', "Note: This requirement is Not Applicable for systems that do not have physical wireless +passing telemetry data, encryption of the data may not be required." + desc "default", "Without protection of communications with wireless peripherals, confidentiality and +integrity may be compromised because unprotected communications can be intercepted and +either read, altered, or used to compromise the operating system. + +This requirement +applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, +etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR +Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique +challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet +DoD requirements for wireless data transmission and be approved for use by the AO. Even though +some wireless peripherals, such as mice and pointing devices, do not ordinarily carry +information that need to be protected, modification of communications with these wireless +peripherals may be used to compromise the operating system. Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of interception +and modification. + +Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing physical +barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic +techniques). If physical means of protection are employed, then logical means +(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only +passing telemetry data, encryption of the data may not be required." + desc "check", "Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. Verify that there are no wireless interfaces configured on the system with @@ -32,8 +54,8 @@ basename If a wireless interface is configured and has not been documented and approved by -the ISSO, this is a finding. " - desc 'fix', "List all the wireless interfaces with the following command: +the ISSO, this is a finding." + desc "fix", "List all the wireless interfaces with the following command: $ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename @@ -62,18 +84,19 @@ module with the following command: For each module from the system, execute the following command to remove it: $ -sudo modprobe -r <module name> " +sudo modprobe -r <module name>" impact 0.5 - tag severity: 'medium ' - tag gtitle: 'SRG-OS-000481-GPOS-00481 ' - tag gid: 'V-252704 ' - tag rid: 'SV-252704r854182_rule ' - tag stig_id: 'UBTU-20-010455 ' - tag fix_id: 'F-56110r819056_fix ' - tag cci: ['CCI-002418'] - tag nist: ['SC-8'] + tag severity: "medium " + tag gtitle: "SRG-OS-000481-GPOS-00481 " + tag gid: "V-252704 " + tag rid: "SV-252704r854182_rule " + tag stig_id: "UBTU-20-010455 " + tag fix_id: "F-56110r819056_fix " + tag cci: ["CCI-002418"] + tag nist: ["SC-8"] describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do its('stdout') { should be_in input('approved_wireless_interfaces') } end -end + +end \ No newline at end of file From 49d31b780a2e7e8376837f59322e6c8f697d2c9b Mon Sep 17 00:00:00 2001 From: Emily Rodriguez Date: Fri, 2 Dec 2022 11:29:56 -0600 Subject: [PATCH 2/3] try delta on formatted profile Signed-off-by: Emily Rodriguez --- controls/SV-238196.rb | 1 + controls/SV-238197.rb | 1 + controls/SV-238198.rb | 2 + controls/SV-238199.rb | 1 + controls/SV-238200.rb | 1 + controls/SV-238201.rb | 1 + controls/SV-238202.rb | 1 + controls/SV-238203.rb | 1 + controls/SV-238204.rb | 46 ++++++++++------------- controls/SV-238205.rb | 1 + controls/SV-238206.rb | 12 +++--- controls/SV-238207.rb | 3 +- controls/SV-238208.rb | 3 +- controls/SV-238209.rb | 1 + controls/SV-238210.rb | 40 +++++++++----------- controls/SV-238211.rb | 26 ++++++------- controls/SV-238212.rb | 27 ++++++-------- controls/SV-238213.rb | 28 ++++++-------- controls/SV-238214.rb | 80 ++++++++++++++------------------------- controls/SV-238215.rb | 3 +- controls/SV-238216.rb | 22 +++++------ controls/SV-238217.rb | 23 +++++------- controls/SV-238218.rb | 25 +++++-------- controls/SV-238219.rb | 22 +++++------ controls/SV-238220.rb | 24 +++++------- controls/SV-238221.rb | 1 + controls/SV-238222.rb | 1 + controls/SV-238223.rb | 1 + controls/SV-238224.rb | 1 + controls/SV-238225.rb | 1 + controls/SV-238226.rb | 1 + controls/SV-238227.rb | 1 + controls/SV-238228.rb | 1 + controls/SV-238229.rb | 1 + controls/SV-238230.rb | 3 +- controls/SV-238231.rb | 3 +- controls/SV-238232.rb | 3 +- controls/SV-238233.rb | 3 +- controls/SV-238234.rb | 1 + controls/SV-238235.rb | 3 +- controls/SV-238236.rb | 46 ++++++++++------------- controls/SV-238237.rb | 1 + controls/SV-238238.rb | 3 +- controls/SV-238239.rb | 3 +- controls/SV-238240.rb | 3 +- controls/SV-238241.rb | 3 +- controls/SV-238242.rb | 3 +- controls/SV-238243.rb | 47 ++++++++++------------- controls/SV-238244.rb | 1 + controls/SV-238245.rb | 1 + controls/SV-238246.rb | 1 + controls/SV-238247.rb | 1 + controls/SV-238248.rb | 1 + controls/SV-238249.rb | 1 + controls/SV-238250.rb | 1 + controls/SV-238251.rb | 1 + controls/SV-238252.rb | 49 ++++++++++-------------- controls/SV-238253.rb | 49 ++++++++++-------------- controls/SV-238254.rb | 49 ++++++++++-------------- controls/SV-238255.rb | 49 ++++++++++-------------- controls/SV-238256.rb | 49 ++++++++++-------------- controls/SV-238257.rb | 52 +++++++++++--------------- controls/SV-238258.rb | 84 +++++++++++++++-------------------------- controls/SV-238264.rb | 69 ++++++++++++++-------------------- controls/SV-238268.rb | 66 +++++++++++++------------------- controls/SV-238271.rb | 87 +++++++++++++++---------------------------- controls/SV-238277.rb | 48 ++++++++++-------------- controls/SV-238278.rb | 49 ++++++++++-------------- controls/SV-238279.rb | 49 ++++++++++-------------- controls/SV-238280.rb | 49 ++++++++++-------------- controls/SV-238281.rb | 49 ++++++++++-------------- controls/SV-238282.rb | 49 ++++++++++-------------- controls/SV-238283.rb | 49 ++++++++++-------------- controls/SV-238284.rb | 49 ++++++++++-------------- controls/SV-238285.rb | 1 + controls/SV-238286.rb | 1 + controls/SV-238287.rb | 1 + controls/SV-238288.rb | 49 ++++++++++-------------- controls/SV-238289.rb | 49 ++++++++++-------------- controls/SV-238290.rb | 49 ++++++++++-------------- controls/SV-238291.rb | 49 ++++++++++-------------- controls/SV-238292.rb | 49 ++++++++++-------------- controls/SV-238293.rb | 49 ++++++++++-------------- controls/SV-238294.rb | 51 ++++++++++--------------- controls/SV-238295.rb | 69 ++++++++++++++-------------------- controls/SV-238297.rb | 65 +++++++++++++------------------- controls/SV-238298.rb | 3 +- controls/SV-238299.rb | 1 + controls/SV-238300.rb | 1 + controls/SV-238301.rb | 1 + controls/SV-238302.rb | 1 + controls/SV-238303.rb | 1 + controls/SV-238304.rb | 3 +- controls/SV-238305.rb | 34 +++++++---------- controls/SV-238306.rb | 48 ++++++++++-------------- controls/SV-238307.rb | 3 +- controls/SV-238308.rb | 3 +- controls/SV-238309.rb | 3 +- controls/SV-238310.rb | 68 +++++++++++++-------------------- controls/SV-238315.rb | 1 + controls/SV-238316.rb | 1 + controls/SV-238317.rb | 1 + controls/SV-238318.rb | 1 + controls/SV-238319.rb | 1 + controls/SV-238320.rb | 1 + controls/SV-238321.rb | 3 +- controls/SV-238323.rb | 1 + controls/SV-238324.rb | 1 + controls/SV-238325.rb | 1 + controls/SV-238326.rb | 1 + controls/SV-238327.rb | 1 + controls/SV-238328.rb | 23 +++++------- controls/SV-238329.rb | 1 + controls/SV-238330.rb | 23 +++++------- controls/SV-238331.rb | 1 + controls/SV-238332.rb | 1 + controls/SV-238333.rb | 1 + controls/SV-238334.rb | 1 + controls/SV-238335.rb | 1 + controls/SV-238336.rb | 51 ++++++++++++------------- controls/SV-238337.rb | 1 + controls/SV-238338.rb | 1 + controls/SV-238339.rb | 1 + controls/SV-238340.rb | 1 + controls/SV-238341.rb | 1 + controls/SV-238342.rb | 1 + controls/SV-238343.rb | 1 + controls/SV-238344.rb | 1 + controls/SV-238345.rb | 1 + controls/SV-238346.rb | 1 + controls/SV-238347.rb | 1 + controls/SV-238348.rb | 1 + controls/SV-238349.rb | 1 + controls/SV-238350.rb | 1 + controls/SV-238351.rb | 1 + controls/SV-238352.rb | 1 + controls/SV-238353.rb | 1 + controls/SV-238354.rb | 3 +- controls/SV-238355.rb | 3 +- controls/SV-238356.rb | 3 +- controls/SV-238357.rb | 3 +- controls/SV-238358.rb | 3 +- controls/SV-238359.rb | 3 +- controls/SV-238360.rb | 3 +- controls/SV-238361.rb | 3 +- controls/SV-238362.rb | 3 +- controls/SV-238363.rb | 3 +- controls/SV-238364.rb | 5 ++- controls/SV-238365.rb | 3 +- controls/SV-238366.rb | 3 +- controls/SV-238367.rb | 3 +- controls/SV-238368.rb | 3 +- controls/SV-238369.rb | 3 +- controls/SV-238370.rb | 3 +- controls/SV-238371.rb | 3 +- controls/SV-238372.rb | 3 +- controls/SV-238373.rb | 7 ++-- controls/SV-238374.rb | 1 + controls/SV-238376.rb | 1 + controls/SV-238377.rb | 1 + controls/SV-238378.rb | 1 + controls/SV-238379.rb | 1 + controls/SV-238380.rb | 1 + controls/SV-251503.rb | 1 + controls/SV-251504.rb | 1 + controls/SV-251505.rb | 15 +++----- controls/SV-252704.rb | 54 ++++++++++++--------------- 167 files changed, 1066 insertions(+), 1394 deletions(-) diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index f9201f1..6e664da 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -57,6 +57,7 @@ $ sudo chage -E $(date -d \"+3 days\" +%F) system_account_name" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000002-GPOS-00002 " tag gid: "V-238196 " diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb index 7d6d334..107964c 100644 --- a/controls/SV-238197.rb +++ b/controls/SV-238197.rb @@ -133,6 +133,7 @@ update $ sudo systemctl restart gdm3" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000023-GPOS-00006 " tag gid: "V-238197 " diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index 311b4d4..041ddb7 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -156,6 +156,8 @@ $ sudo dconf update $ sudo systemctl restart gdm3" + impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000023-GPOS-00006 " tag gid: "V-238198 " diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb index d501597..69d6930 100644 --- a/controls/SV-238199.rb +++ b/controls/SV-238199.rb @@ -51,6 +51,7 @@ $ sudo gsettings set org.gnome.desktop.screensaver lock-enabled true" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000028-GPOS-00009 " tag satisfies: ["SRG-OS-000028-GPOS-00009", "SRG-OS-000029-GPOS-00010"] diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb index 19963f7..5aacd4a 100644 --- a/controls/SV-238200.rb +++ b/controls/SV-238200.rb @@ -30,6 +30,7 @@ $ sudo apt-get install vlock" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000030-GPOS-00011 " tag satisfies: ["SRG-OS-000030-GPOS-00011", "SRG-OS-000031-GPOS-00012"] diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index 31d3373..091e578 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -24,6 +24,7 @@ accordingly at \"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000068-GPOS-00036 " tag gid: "V-238201 " diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb index c445142..53cc2a6 100644 --- a/controls/SV-238202.rb +++ b/controls/SV-238202.rb @@ -26,6 +26,7 @@ PASS_MIN_DAYS 1" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000075-GPOS-00043 " tag gid: "V-238202 " diff --git a/controls/SV-238203.rb b/controls/SV-238203.rb index 77edb8f..68d401f 100644 --- a/controls/SV-238203.rb +++ b/controls/SV-238203.rb @@ -25,6 +25,7 @@ PASS_MAX_DAYS 60" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000076-GPOS-00044 " tag gid: "V-238203 " diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb index 639073e..e8323c6 100644 --- a/controls/SV-238204.rb +++ b/controls/SV-238204.rb @@ -49,34 +49,26 @@ If the root password entry does not begin with \"password_pbkdf2\", this is a finding." - desc "fix", "Configure the system to require a password for authentication upon booting into single-user -and maintenance modes. - -Generate an encrypted (grub) password for root with the following -command: - -$ grub-mkpasswd-pbkdf2 -Enter Password: -Reenter Password: -PBKDF2 hash of -your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG - -Using -the hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following -command to add a boot password: - -$ sudo sed -i '$i set -superusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom - - -where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. - -Generate an -updated \"grub.conf\" file with the new password by using the following command: - -$ sudo -update-grub" + desc "fix", "Configure the system to require a password for authentication upon booting into single-user and maintenance modes. + +Generate an encrypted (grub) password for root with the following command: + +$ grub-mkpasswd-pbkdf2 +Enter Password: +Reenter Password: +PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG + +Using the hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following command to add a boot password: + +$ sudo sed -i '$i set superusers=\\\"root\\\"\\npassword_pbkdf2 root ' /etc/grub.d/40_custom + +where is the hash generated by grub-mkpasswd-pbkdf2 command. + +Generate an updated \"grub.conf\" file with the new password by using the following command: + +$ sudo update-grub" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000080-GPOS-00048 " tag gid: "V-238204 " diff --git a/controls/SV-238205.rb b/controls/SV-238205.rb index 5338ddd..0197e2a 100644 --- a/controls/SV-238205.rb +++ b/controls/SV-238205.rb @@ -44,6 +44,7 @@ desc "fix", "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate UID with a unique UID." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000104-GPOS-00051 " tag satisfies: ["SRG-OS-000104-GPOS-00051", "SRG-OS-000121-GPOS-00062"] diff --git a/controls/SV-238206.rb b/controls/SV-238206.rb index c7f632e..7b92986 100644 --- a/controls/SV-238206.rb +++ b/controls/SV-238206.rb @@ -52,13 +52,13 @@ If the sudo group contains users not needing access to security functions, this is a finding." - desc "fix", "Configure the sudo group with only members requiring access to security functions. - -To -remove a user from the sudo group, run: - -$ sudo gpasswd -d <username> sudo" + desc "fix", "Configure the sudo group with only members requiring access to security functions. + +To remove a user from the sudo group, run: + +$ sudo gpasswd -d sudo" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000134-GPOS-00068 " tag gid: "V-238206 " diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb index dcc6037..d634c25 100644 --- a/controls/SV-238207.rb +++ b/controls/SV-238207.rb @@ -75,10 +75,11 @@ $ export TMOUT=600" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000279-GPOS-00109 " tag gid: "V-238207 " - tag rid: "SV-238207r853404_rule " + tag rid: "SV-238207r653796_rule" tag stig_id: "UBTU-20-010013 " tag fix_id: "F-41376r653795_fix " tag cci: ["CCI-002361"] diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb index 169cc35..52f5cfa 100644 --- a/controls/SV-238208.rb +++ b/controls/SV-238208.rb @@ -22,11 +22,12 @@ desc "fix", "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000373-GPOS-00156 " tag satisfies: ["SRG-OS-000373-GPOS-00156", "SRG-OS-000373-GPOS-00157"] tag gid: "V-238208 " - tag rid: "SV-238208r853405_rule " + tag rid: "SV-238208r653799_rule" tag stig_id: "UBTU-20-010014 " tag fix_id: "F-41377r653798_fix " tag cci: ["CCI-002038"] diff --git a/controls/SV-238209.rb b/controls/SV-238209.rb index 68e279a..e89f242 100644 --- a/controls/SV-238209.rb +++ b/controls/SV-238209.rb @@ -29,6 +29,7 @@ UMASK 077" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000480-GPOS-00228 " tag gid: "V-238209 " diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 7410d0f..4078a35 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -47,28 +47,21 @@ The DoD CAC with DoD-approved PKI is an example of multifactor authentication." - desc "check", "Verify the Ubuntu operating system has the packages required for multifactor -authentication installed with the following commands: - -$ dpkg -l | grep libpam-pkcs11 - -ii -libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards - -If the -\"libpam-pkcs11\" package is not installed, this is a finding. - -Verify the sshd daemon allows -public key authentication with the following command: - -$ grep -r ^Pubkeyauthentication -/etc/ssh/sshd_config* - -PubkeyAuthentication yes - -If this option is set to \"no\" or is -missing, this is a finding. -If conflicting results are returned, this is a finding." + desc "check", "Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: + +$ dpkg -l | grep libpam-pkcs11 + +ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards + +If the \"libpam-pkcs11\" package is not installed, this is a finding. + +Verify the sshd daemon allows public key authentication with the following, + +$ grep ^Pubkeyauthentication /etc/ssh/sshd_config + +PubkeyAuthentication yes + +If this option is set to \"no\" or is missing, this is a finding." desc "fix", "Configure the Ubuntu operating system to use multifactor authentication for network access to accounts. @@ -80,11 +73,12 @@ Set the sshd option \"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000105-GPOS-00052 " tag satisfies: ["SRG-OS-000105-GPOS-00052", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055"] tag gid: "V-238210 " - tag rid: "SV-238210r858517_rule " + tag rid: "SV-238210r653805_rule" tag stig_id: "UBTU-20-010033 " tag fix_id: "F-41379r653804_fix " tag cci: ["CCI-000765", "CCI-000766", "CCI-000767", "CCI-000768"] diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 5353d49..719d1fe 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -19,20 +19,15 @@ attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric." - desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the -establishment of nonlocal maintenance and diagnostic maintenance. - -Verify that \"UsePAM\" -is set to \"yes\" in \"/etc/ssh/sshd_config: - -$ grep -r ^UsePAM -/etc/ssh/sshd_config* - -UsePAM yes - -If \"UsePAM\" is not set to \"yes\", this is a finding. -If -conflicting results are returned, this is a finding." + desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance. + +Verify that \"UsePAM\" is set to \"yes\" in \"/etc/ssh/sshd_config: + +$ grep ^UsePAM /etc/ssh/sshd_config + +UsePAM yes + +If \"UsePAM\" is not set to \"yes\", this is a finding." desc "fix", "Configure the Ubuntu operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. @@ -41,10 +36,11 @@ UsePAM yes" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000125-GPOS-00065 " tag gid: "V-238211 " - tag rid: "SV-238211r858519_rule " + tag rid: "SV-238211r653808_rule" tag stig_id: "UBTU-20-010035 " tag fix_id: "F-41380r653807_fix " tag cci: ["CCI-000877"] diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb index ed01257..9632f90 100644 --- a/controls/SV-238212.rb +++ b/controls/SV-238212.rb @@ -41,21 +41,15 @@ This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance." - desc "check", "Verify that all network connections associated with SSH traffic automatically terminate -after a period of inactivity. - -Verify the \"ClientAliveCountMax\" variable is set in the -\"/etc/ssh/sshd_config\" file by performing the following command: - -$ sudo grep -ir -clientalivecountmax /etc/ssh/sshd_config* - -ClientAliveCountMax 1 - -If -\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding. -If -conflicting results are returned, this is a finding." + desc "check", "Verify that all network connections associated with SSH traffic automatically terminate after a period of inactivity. + +Verify the \"ClientAliveCountMax\" variable is set in the \"/etc/ssh/sshd_config\" file by performing the following command: + +$ sudo grep -i clientalivecountmax /etc/ssh/sshd_config + +ClientAliveCountMax 1 + +If \"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding." desc "fix", "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions after a period of inactivity. @@ -70,10 +64,11 @@ $ sudo systemctl restart sshd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000126-GPOS-00066 " tag gid: "V-238212 " - tag rid: "SV-238212r858521_rule " + tag rid: "SV-238212r653811_rule" tag stig_id: "UBTU-20-010036 " tag fix_id: "F-41381r653810_fix " tag cci: ["CCI-000879"] diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb index c971880..ab34c73 100644 --- a/controls/SV-238213.rb +++ b/controls/SV-238213.rb @@ -25,22 +25,15 @@ sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session." - desc "check", "Verify that all network connections associated with SSH traffic are automatically -terminated at the end of the session or after 10 minutes of inactivity. - -Verify the -\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following -command: - -$ sudo grep -ir clientalive /etc/ssh/sshd_config* - -ClientAliveInterval -600 - -If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in -\"/etc/ssh/sshd_config\", or is commented out, this is a finding. -If conflicting results are -returned, this is a finding." + desc "check", "Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. + +Verify the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command: + +$ sudo grep -i clientalive /etc/ssh/sshd_config + +ClientAliveInterval 600 + +If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding." desc "fix", "Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. @@ -55,10 +48,11 @@ $ sudo systemctl restart sshd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000163-GPOS-00072 " tag gid: "V-238213 " - tag rid: "SV-238213r858523_rule " + tag rid: "SV-238213r653814_rule" tag stig_id: "UBTU-20-010037 " tag fix_id: "F-41382r653813_fix " tag cci: ["CCI-001133"] diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index e7167fd..4f15bf1 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -95,58 +95,33 @@ \"I've read & consent to terms in IS user agreem't.\"" - desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent -Banner before granting access to the Ubuntu operating system via an SSH logon with the -following command: - -$ grep -ir banner /etc/ssh/sshd_config* - - + desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via an SSH logon with the following command: + +$ grep -ir banner /etc/ssh/sshd_config* + /etc/ssh/sshd_config:Banner /etc/issue.net - -The command will return the banner option -along with the name of the file that contains the SSH banner. If the line is commented out, this -is a finding. - -If conflicting results are returned, this is a finding. - -Verify the -specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: - - -$ cat /etc/issue.net - -\"You are accessing a U.S. Government (USG) Information System (IS) -that is provided for USG-authorized use only. - -By using this IS (which includes any device -attached to this IS), you consent to the following conditions: - --The USG routinely -intercepts and monitors communications on this IS for purposes including, but not limited -to, penetration testing, COMSEC monitoring, network operations and defense, personnel -misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, -or data stored on, this IS are not private, are subject to routine monitoring, interception, -and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes -security measures (e.g., authentication and access controls) to protect USG -interests--not for your personal benefit or privacy. - --Notwithstanding the above, using -this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of -the content of privileged communications, or work product, related to personal -representation or services by attorneys, psychotherapists, or clergy, and their -assistants. Such communications and work product are private and confidential. See User -Agreement for details.\" - -If the banner text does not match the Standard Mandatory DoD Notice -and Consent Banner exactly, this is a finding." + +The command will return the banner option along with the name of the file that contains the SSH banner. If the line is commented out, this is a finding. + +Verify the specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: + +$ cat /etc/issue.net + +\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" + +If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding." desc "fix", "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: @@ -192,11 +167,12 @@ $ sudo systemctl -s SIGHUP kill sshd" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000228-GPOS-00088 " tag satisfies: ["SRG-OS-000228-GPOS-00088", "SRG-OS-000023-GPOS-00006"] tag gid: "V-238214 " - tag rid: "SV-238214r858525_rule " + tag rid: "SV-238214r832938_rule" tag stig_id: "UBTU-20-010038 " tag fix_id: "F-41383r653816_fix " tag cci: ["CCI-000048", "CCI-001384", "CCI-001385", "CCI-001386", "CCI-001387", "CCI-001388"] diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb index a24ecd1..6009210 100644 --- a/controls/SV-238215.rb +++ b/controls/SV-238215.rb @@ -71,11 +71,12 @@ $ sudo systemctl start sshd.service" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000423-GPOS-00187 " tag satisfies: ["SRG-OS-000423-GPOS-00187", "SRG-OS-000425-GPOS-00189", "SRG-OS-000426-GPOS-00190"] tag gid: "V-238215 " - tag rid: "SV-238215r853406_rule " + tag rid: "SV-238215r653820_rule" tag stig_id: "UBTU-20-010042 " tag fix_id: "F-41384r653819_fix " tag cci: ["CCI-002418", "CCI-002420", "CCI-002422"] diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 0557faf..2bcc1c2 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -43,18 +43,13 @@ protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes." - desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers -with the following command: - -$ grep -ir macs /etc/ssh/sshd_config* - -MACs -hmac-sha2-512,hmac-sha2-256 - -If any ciphers other than \"hmac-sha2-512\" or -\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is -commented out, this is a finding. -If conflicting results are returned, this is a finding." + desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command: + +$ grep -i macs /etc/ssh/sshd_config + +MACs hmac-sha2-512,hmac-sha2-256 + +If any ciphers other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is commented out, this is a finding." desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers. @@ -70,11 +65,12 @@ $ sudo systemctl reload sshd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000424-GPOS-00188 " tag satisfies: ["SRG-OS-000424-GPOS-00188", "SRG-OS-000250-GPOS-00093", "SRG-OS-000393-GPOS-00173"] tag gid: "V-238216 " - tag rid: "SV-238216r860820_rule " + tag rid: "SV-238216r654316_rule" tag stig_id: "UBTU-20-010043 " tag fix_id: "F-41385r653822_fix " tag cci: ["CCI-001453", "CCI-002421", "CCI-002890"] diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index 71fade7..e7b7225 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -54,19 +54,13 @@ By specifying a cipher list with the order of ciphers being in a \"strongest to weakest\" orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections." - desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running -the following command: - -$ grep -r 'Ciphers' /etc/ssh/sshd_config* - -Ciphers -aes256-ctr,aes192-ctr,aes128-ctr - -If any ciphers other than \"aes256-ctr\", -\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the -\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding. -If -conflicting results are returned, this is a finding." + desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running the following command: + +$ grep -E 'Ciphers ' /etc/ssh/sshd_config + +Ciphers aes256-ctr,aes192-ctr,aes128-ctr + +If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding." desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only implement FIPS-approved algorithms. @@ -82,11 +76,12 @@ $ sudo systemctl restart sshd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000424-GPOS-00188 " tag satisfies: ["SRG-OS-000424-GPOS-00188", "SRG-OS-000033-GPOS-00014", "SRG-OS-000394-GPOS-00174"] tag gid: "V-238217 " - tag rid: "SV-238217r860821_rule " + tag rid: "SV-238217r832940_rule" tag stig_id: "UBTU-20-010044 " tag fix_id: "F-41386r653825_fix " tag cci: ["CCI-000068", "CCI-002421", "CCI-003123"] diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb index a6dfaf0..f408ffa 100644 --- a/controls/SV-238218.rb +++ b/controls/SV-238218.rb @@ -4,20 +4,14 @@ operating system security." desc "default", "Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security." - desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: - -$ -egrep -r '(Permit(.*?)(Passwords|Environment))' -/etc/ssh/sshd_config - -PermitEmptyPasswords no -PermitUserEnvironment no - -If -\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are -missing completely, or are commented out, this is a finding. -If conflicting results are -returned, this is a finding." + desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: + +$ egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config + +PermitEmptyPasswords no +PermitUserEnvironment no + +If \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are missing completely, or are commented out, this is a finding." desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system. @@ -33,10 +27,11 @@ $ sudo systemctl restart sshd.service" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00229 " tag gid: "V-238218 " - tag rid: "SV-238218r858531_rule " + tag rid: "SV-238218r653829_rule" tag stig_id: "UBTU-20-010047 " tag fix_id: "F-41387r653828_fix " tag cci: ["CCI-000366"] diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb index a82ee15..de94ce5 100644 --- a/controls/SV-238219.rb +++ b/controls/SV-238219.rb @@ -29,18 +29,13 @@ If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs." - desc "check", "Verify that X11Forwarding is disabled with the following command: - -$ grep -ir -x11forwarding /etc/ssh/sshd_config* | grep -v \"^#\" - -X11Forwarding no - -If the -\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System -Security Officer (ISSO) as an operational requirement or is missing, this is a finding. -If -conflicting results are returned, this is a finding." + desc "check", "Verify that X11Forwarding is disabled with the following command: + +$ grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\" + +X11Forwarding no + +If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding." desc "fix", "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -53,10 +48,11 @@ $ sudo systemctl restart sshd.service" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238219 " - tag rid: "SV-238219r858533_rule " + tag rid: "SV-238219r653832_rule" tag stig_id: "UBTU-20-010048 " tag fix_id: "F-41388r653831_fix " tag cci: ["CCI-000366"] diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb index 176f688..0b4c2db 100644 --- a/controls/SV-238220.rb +++ b/controls/SV-238220.rb @@ -11,19 +11,14 @@ default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display." - desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. - -Check the -SSH X11UseLocalhost setting with the following command: - -$ sudo grep -ir x11uselocalhost -/etc/ssh/sshd_config* -X11UseLocalhost yes - -If the \"X11UseLocalhost\" keyword is set to -\"no\", is missing, or is commented out, this is a finding. -If conflicting results are -returned, this is a finding." + desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. + +Check the SSH X11UseLocalhost setting with the following command: + +$ sudo grep -i x11uselocalhost /etc/ssh/sshd_config +X11UseLocalhost yes + +If the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding." desc "fix", "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Edit @@ -39,10 +34,11 @@ $ sudo systemctl restart sshd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238220 " - tag rid: "SV-238220r858535_rule " + tag rid: "SV-238220r653835_rule" tag stig_id: "UBTU-20-010049 " tag fix_id: "F-41389r653834_fix " tag cci: ["CCI-000366"] diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb index 7348bc9..a40127f 100644 --- a/controls/SV-238221.rb +++ b/controls/SV-238221.rb @@ -34,6 +34,7 @@ ucredit=-1" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000069-GPOS-00037 " tag gid: "V-238221 " diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb index 5b2944b..5157209 100644 --- a/controls/SV-238222.rb +++ b/controls/SV-238222.rb @@ -34,6 +34,7 @@ lcredit=-1" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000070-GPOS-00038 " tag gid: "V-238222 " diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb index b2159d6..515fab9 100644 --- a/controls/SV-238223.rb +++ b/controls/SV-238223.rb @@ -37,6 +37,7 @@ dcredit=-1" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000071-GPOS-00039 " tag gid: "V-238223 " diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb index 35a9c55..d3c9b81 100644 --- a/controls/SV-238224.rb +++ b/controls/SV-238224.rb @@ -45,6 +45,7 @@ difok=8" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000072-GPOS-00040 " tag gid: "V-238224 " diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb index 3ec8e44..ed0d2c4 100644 --- a/controls/SV-238225.rb +++ b/controls/SV-238225.rb @@ -33,6 +33,7 @@ minlen=15" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000078-GPOS-00046 " tag gid: "V-238225 " diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb index 4f65401..442e9c6 100644 --- a/controls/SV-238226.rb +++ b/controls/SV-238226.rb @@ -40,6 +40,7 @@ ocredit=-1" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000266-GPOS-00101 " tag gid: "V-238226 " diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb index 7f1ca5a..b9c3537 100644 --- a/controls/SV-238227.rb +++ b/controls/SV-238227.rb @@ -24,6 +24,7 @@ dictcheck=1" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000480-GPOS-00225 " tag gid: "V-238227 " diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index 10358fd..15634ed 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -71,6 +71,7 @@ Note: The value of \"retry\" should be between \"1\" and \"3\"." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000480-GPOS-00225 " tag gid: "V-238228 " diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index 509fac3..62ce22d 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -76,6 +76,7 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs accordingly at \"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000066-GPOS-00034 " tag gid: "V-238229 " diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index f077f98..487d537 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -64,10 +64,11 @@ $ sudo apt install libpam-pkcs11" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000375-GPOS-00160 " tag gid: "V-238230 " - tag rid: "SV-238230r853410_rule " + tag rid: "SV-238230r653865_rule" tag stig_id: "UBTU-20-010063 " tag fix_id: "F-41399r653864_fix " tag cci: ["CCI-001948"] diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb index 003f396..1062816 100644 --- a/controls/SV-238231.rb +++ b/controls/SV-238231.rb @@ -35,10 +35,11 @@ $ sudo apt-get install opensc-pkcs11" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000376-GPOS-00161 " tag gid: "V-238231 " - tag rid: "SV-238231r853411_rule " + tag rid: "SV-238231r653868_rule" tag stig_id: "UBTU-20-010064 " tag fix_id: "F-41400r653867_fix " tag cci: ["CCI-001953"] diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index 96d9560..70cd898 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -35,10 +35,11 @@ Modify all of the \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000377-GPOS-00162 " tag gid: "V-238232 " - tag rid: "SV-238232r853412_rule " + tag rid: "SV-238232r653871_rule" tag stig_id: "UBTU-20-010065 " tag fix_id: "F-41401r653870_fix " tag cci: ["CCI-001954"] diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 0c565d7..0f00272 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -33,10 +33,11 @@ an example to copy into place and modify accordingly at \"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000384-GPOS-00167 " tag gid: "V-238233 " - tag rid: "SV-238233r853413_rule " + tag rid: "SV-238233r653874_rule" tag stig_id: "UBTU-20-010066 " tag fix_id: "F-41402r653873_fix " tag cci: ["CCI-001991"] diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index 51dc477..d168cd8 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -30,6 +30,7 @@ password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000077-GPOS-00045 " tag satisfies: ["SRG-OS-000077-GPOS-00045", "SRG-OS-000073-GPOS-00041"] diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index 52e593c..e2cf1e0 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -62,11 +62,12 @@ fail_interval = 900 unlock_time = 0" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000329-GPOS-00128 " tag satisfies: ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"] tag gid: "V-238235 " - tag rid: "SV-238235r853414_rule " + tag rid: "SV-238235r802383_rule" tag stig_id: "UBTU-20-010072 " tag fix_id: "F-41404r802382_fix " tag cci: ["CCI-000044", "CCI-002238"] diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb index eb030fd..8d9999e 100644 --- a/controls/SV-238236.rb +++ b/controls/SV-238236.rb @@ -33,32 +33,23 @@ This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality." - desc "check", "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to -check file integrity each 30 days or less is unchanged. - -Download the original aide-common -package in the /tmp directory: - -$ cd /tmp; apt download aide-common - -Fetch the SHA1 of the -original script file: - -$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO -./usr/share/aide/config/cron.daily/aide | sha1sum - -32958374f18871e3f7dda27a58d721f471843e26 - - -Compare with the SHA1 of the file in the -daily or monthly cron directory: - -$ sha1sum /etc/cron.{daily,monthly}/aide -2>/dev/null -32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide - -If -there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the -daily or monthly cron directory does not match the SHA1 of the original, this is a finding." + desc "check", "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged. + +Download the original aide-common package in the /tmp directory: + +$ cd /tmp; apt download aide-common + +Fetch the SHA1 of the original script file: + +$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO ./usr/share/aide/config/cron.daily/aide | sha1sum +32958374f18871e3f7dda27a58d721f471843e26 - + +Compare with the SHA1 of the file in the daily or monthly cron directory: + +$ sha1sum /etc/cron.{daily,monthly}/aide 2>/dev/null +32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide + +If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding." desc "fix", "The cron file for AIDE is fairly complex as it creates the report. This file is installed with the \"aide-common\" package, and the default can be restored by copying it from the package: @@ -79,10 +70,11 @@ $ sudo cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000446-GPOS-00200 " tag gid: "V-238236 " - tag rid: "SV-238236r853415_rule " + tag rid: "SV-238236r653883_rule" tag stig_id: "UBTU-20-010074 " tag fix_id: "F-41405r653882_fix " tag cci: ["CCI-002699"] diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index 1e1439f..81899d4 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -24,6 +24,7 @@ auth required pam_faildelay.so delay=4000000" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000480-GPOS-00226 " tag gid: "V-238237 " diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index ae84ad0..cae33cf 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -48,11 +48,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000463-GPOS-00207", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238238 " - tag rid: "SV-238238r853416_rule " + tag rid: "SV-238238r653889_rule" tag stig_id: "UBTU-20-010100 " tag fix_id: "F-41407r653888_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index b1f9fe9..7a904eb 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -48,11 +48,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238239 " - tag rid: "SV-238239r853417_rule " + tag rid: "SV-238239r653892_rule" tag stig_id: "UBTU-20-010101 " tag fix_id: "F-41408r653891_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index 5a15d6f..edfc70b 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -48,11 +48,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238240 " - tag rid: "SV-238240r853418_rule " + tag rid: "SV-238240r653895_rule" tag stig_id: "UBTU-20-010102 " tag fix_id: "F-41409r653894_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index d1c360a..43227f4 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -48,11 +48,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238241 " - tag rid: "SV-238241r853419_rule " + tag rid: "SV-238241r653898_rule" tag stig_id: "UBTU-20-010103 " tag fix_id: "F-41410r653897_fix " tag cci: ["CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index 4ee2ea8..7453e7b 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -48,11 +48,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238242 " - tag rid: "SV-238242r853420_rule " + tag rid: "SV-238242r653901_rule" tag stig_id: "UBTU-20-010104 " tag fix_id: "F-41411r653900_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index 73888be..80f409c 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -27,35 +27,26 @@ information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both." - desc "check", "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing -failure with the following command: - -$ sudo grep '^action_mail_acct = root' -/etc/audit/auditd.conf - -action_mail_acct = <administrator_account> - -If the -value of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the -\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a -finding." - desc "fix", "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing -failure. - -Edit the following line in \"/etc/audit/auditd.conf\" to ensure administrators -are notified via email for those situations: - -action_mail_acct = -<administrator_account> - -Note: Change \"administrator_account\" to an account for -security personnel. - -Restart the \"auditd\" service so the changes take effect: - -$ sudo -systemctl restart auditd.service" + desc "check", "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command: + +$ sudo grep '^action_mail_acct = root' /etc/audit/auditd.conf + +action_mail_acct = + +If the value of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the \"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a finding." + desc "fix", "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing failure. + +Edit the following line in \"/etc/audit/auditd.conf\" to ensure administrators are notified via email for those situations: + +action_mail_acct = + +Note: Change \"administrator_account\" to an account for security personnel. + +Restart the \"auditd\" service so the changes take effect: + +$ sudo systemctl restart auditd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000046-GPOS-00022 " tag gid: "V-238243 " diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index 59d2fbd..4c67081 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -66,6 +66,7 @@ $ sudo systemctl restart auditd.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000047-GPOS-00023 " tag gid: "V-238244 " diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index 46ee253..d54307c 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -47,6 +47,7 @@ $ sudo chmod 0600 /var/log/audit/*" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000057-GPOS-00027 " tag satisfies: ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028"] diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index 8a5ba8c..d4f8b2c 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -46,6 +46,7 @@ $ sudo chown root /var/log/audit/*" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000057-GPOS-00027 " tag satisfies: ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029"] diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index d487828..4ea9d53 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -50,6 +50,7 @@ update the group owners of existing files: $ sudo systemctl kill auditd -s SIGHUP" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000057-GPOS-00027 " tag satisfies: ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029"] diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index 6142ebe..4e063ea 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -60,6 +60,7 @@ $ sudo chmod -R g-w,o-rwx /var/log/audit" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000059-GPOS-00029 " tag gid: "V-238248 " diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index 84c002b..7fb0708 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -50,6 +50,7 @@ $ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000063-GPOS-00032 " tag gid: "V-238249 " diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index be019a8..e2f7428 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -60,6 +60,7 @@ $ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000063-GPOS-00032 " tag gid: "V-238250 " diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 7880d40..c361afc 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -50,6 +50,7 @@ $ sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000063-GPOS-00032 " tag gid: "V-238251 " diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index 1cc81df..294328f 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful -attempts to use the \"su\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep '/bin/su' - --a always,exit -F path=/bin/su -F perm=x -F -auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not -return lines that match the example or the lines are commented out, this is a finding. - -Note: -The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need -to match the example output above." - desc "fix", "Configure the Ubuntu operating system to generate audit records when -successful/unsuccessful attempts to use the \"su\" command occur. - -Add or update the -following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - - -To reload the rules file, issue the following command: - + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"su\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep '/bin/su' + +-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change + +If the command does not return lines that match the example or the lines are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238252 " diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index ddcb939..932fdbd 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful -attempts to use the \"chfn\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep '/usr/bin/chfn' - --a always,exit -F -path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn - -If the -command does not return lines that match the example or the lines are commented out, this is a -finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"chfn\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chfn -F perm=x --F auid>=1000 -F auid!=4294967295 -k privileged-chfn - -To reload the rules file, issue -the following command: - + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"chfn\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep '/usr/bin/chfn' + +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn + +If the command does not return lines that match the example or the lines are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"chfn\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238253 " diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 0c80bcc..14183d9 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful -attempts to use the \"mount\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep '/usr/bin/mount' - --a always,exit -F -path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount - -If the -command does not return lines that match the example or the lines are commented out, this is a -finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"mount\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/mount -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount - -To reload the rules -file, issue the following command: - + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"mount\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep '/usr/bin/mount' + +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount + +If the command does not return lines that match the example or the lines are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"mount\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238254 " diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index 128eea7..edbd35f 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify if the Ubuntu operating system generates audit records upon -successful/unsuccessful attempts to use the \"umount\" command. - -Check the configured -audit rules with the following commands: - -$ sudo auditctl -l | grep '/usr/bin/umount' - --a -always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-umount - -If the command does not return lines that match the example or the lines -are commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"umount\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/umount -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount - -To reload the rules -file, issue the following command: - + desc "check", "Verify if the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the \"umount\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep '/usr/bin/umount' + +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount + +If the command does not return lines that match the example or the lines are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"umount\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238255 " diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index 3584874..0213373 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"ssh-agent\" command. - -Check the configured audit rules with the -following commands: - -$ sudo auditctl -l | grep '/usr/bin/ssh-agent' - --a always,exit -F -path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh - -If the -command does not return lines that match the example or the lines are commented out, this is a -finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"ssh-agent\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/ssh-agent -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh - -To reload the rules file, -issue the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"ssh-agent\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep '/usr/bin/ssh-agent' + +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + +If the command does not return lines that match the example or the lines are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-agent\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238256 " diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index 0bfd1d6..cc2d4b6 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -15,38 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"ssh-keysign\" command. - -Check the configured audit rules with the -following commands: - -$ sudo auditctl -l | grep ssh-keysign - --a always,exit -F -path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-ssh - -If the command does not return lines that match the example or the lines are -commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"ssh-keysign\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k -privileged-ssh - -To reload the rules file, issue the following command: - -$ sudo augenrules ---load" + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"ssh-keysign\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + +If the command does not return lines that match the example or the lines are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-keysign\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh + +To reload the rules file, issue the following command: + +$ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238257 " diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index 0db22d7..817d1a6 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -27,64 +27,38 @@ syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", -\"fremovexattr\", and \"lremovexattr\" system calls. - -Check the currently configured audit -rules with the following command: - -$ sudo auditctl -l | grep xattr - --a always,exit -F -arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod - -If the command does not return audit rules for the \"setxattr\", \"fsetxattr\", -\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are -commented out, this is a finding. - -Notes: -For 32-bit architectures, only the 32-bit -specific output lines from the commands are required. -The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and -\"lremovexattr\" system calls. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F arch=b32 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep xattr + +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod + +If the command does not return audit rules for the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod + Note: For 32-bit architectures, only the 32-bit specific entries are required. - - -To reload the rules file, issue the following command: - + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000462-GPOS-00206"] diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index 9eea681..bea36c5 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -27,49 +27,34 @@ syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. - -Check the -configured audit rules with the following commands: - -$ sudo auditctl -l | grep chown - --a -always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k -perm_chng --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 --F auid!=-1 -k perm_chng - -If the command does not return audit rules for the \"chown\", -\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a -finding. - -Notes: -For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. -The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. - -Add or update the following -rules in the \"/etc/audit/rules.d/stig.rules\": - --a always,exit -F arch=b32 -S -chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng --a -always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F -auid!=4294967295 -k perm_chng - -Note: For 32-bit architectures, only the 32-bit specific -entries are required. - -To reload the rules file, issue the following command: - -$ sudo -augenrules --load" + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep chown + +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return audit rules for the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng + +Note: For 32-bit architectures, only the 32-bit specific entries are required. + +To reload the rules file, issue the following command: + +$ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000462-GPOS-00206"] diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index 8c6c83b..abaf68f 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -27,48 +27,34 @@ syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. - -Check the configured -audit rules with the following commands: - -$ sudo auditctl -l | grep chmod - --a always,exit -F -arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng --a -always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k -perm_chng - -If the command does not return audit rules for the \"chmod\", \"fchmod\" and -\"fchmodat\" syscalls or the lines are commented out, this is a finding. - -Notes: -For 32-bit -architectures, only the 32-bit specific output lines from the commands are required. -The -\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to -match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. - -Add or update the following rules in -the \"/etc/audit/rules.d/stig.rules\": - --a always,exit -F arch=b32 -S -chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit --F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng - - -Notes: For 32-bit architectures, only the 32-bit specific entries are required. - -To -reload the rules file, issue the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep chmod + +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return audit rules for the \"chmod\", \"fchmod\" and \"fchmodat\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000462-GPOS-00206"] diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index b3adcfc..b1d9c71 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -27,65 +27,38 @@ syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible." - desc "check", "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to -use the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" -system calls. - -Check the configured audit rules with the following commands: - -$ sudo -auditctl -l | grep 'open\\|truncate\\|creat' - --a always,exit -F arch=b32 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F -auid>=1000 -F auid!=-1 -k perm_access --a always,exit -F arch=b32 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F -auid>=1000 -F auid!=-1 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F -auid>=1000 -F auid!=-1 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F -auid>=1000 -F auid!=-1 -k perm_access - -If the command does not return audit rules for the -\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or -the lines are commented out, this is a finding. - -Notes: -For 32-bit architectures, only the -32-bit specific output lines from the commands are required. -The \"-k\" allows for specifying -an arbitrary identifier, and the string after it does not need to match the example output -above." - desc "fix", "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", -\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. - -Add -or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a -always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F -exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access --a always,exit -F -arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES --F auid>=1000 -F auid!=4294967295 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F -auid>=1000 -F auid!=4294967295 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F -auid>=1000 -F auid!=4294967295 -k perm_access - -Notes: For 32-bit architectures, only -the 32-bit specific entries are required. - -To reload the rules file, issue the following -command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to use the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep 'open\\|truncate\\|creat' + +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access + +If the command does not return audit rules for the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000474-GPOS-00219"] diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index a5ec574..f6f7aa9 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -15,36 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" -command. - -Check the configured audit rules with the following command: - -$ sudo auditctl -l -| grep /usr/bin/sudo - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F -auid!=-1 -k priv_cmd - -If the command does not return a line that matches the example or the -line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"sudo\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/sudo -F perm=x --F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue the -following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" command. + +Check the configured audit rules with the following command: + +$ sudo auditctl -l | grep /usr/bin/sudo + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"sudo\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238277 " diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 50c9486..11ae2e2 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"sudoedit\" command. - -Check the configured audit rules with the -following commands: - -$ sudo auditctl -l | grep /usr/bin/sudoedit - --a always,exit -F -path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"sudoedit\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\": - --a always,exit -F path=/usr/bin/sudoedit -F perm=x --F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue the -following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"sudoedit\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep /usr/bin/sudoedit + +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"sudoedit\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238278 " diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index 5429112..9fee642 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chsh\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x --F auid>=1000 -F auid!=-1 -k priv_cmd - -If the command does not return a line that matches -the example or the line is commented out, this is a finding. - -Notes: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example -output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chsh\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chsh -F perm=x --F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue the -following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chsh\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Notes: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chsh\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238279 " diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index 42ab3a7..488a4aa 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"newgrp\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep newgrp - --a always,exit -F path=/usr/bin/newgrp -F -perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example -output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"newgrp\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/newgrp -F -perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue -the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"newgrp\" command. + +Check the configured audit rules with the following commands: + +$ sudo auditctl -l | grep newgrp + +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"newgrp\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238280 " diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index b2532fa..cf1a76c 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chcon\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep chcon - --a always,exit -F -path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chcon\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chcon -F -perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, issue -the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chcon\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chcon\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238281 " diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 499889c..45193b3 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"apparmor_parser\" command. - -Check the currently configured audit -rules with the following command: - -$ sudo auditctl -l | grep apparmor_parser - --a -always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k -perm_chng - -If the command does not return a line that matches the example or the line is -commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary -identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"apparmor_parser\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/sbin/apparmor_parser --F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, -issue the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"apparmor_parser\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep apparmor_parser + +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"apparmor_parser\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238282 " diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index 95509e1..d8f9ebb 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"setfacl\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep setfacl - --a always,exit -F -path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does -not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"setfacl\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/setfacl -F -perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, issue -the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"setfacl\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep setfacl + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"setfacl\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238283 " diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 99cb9f3..2fd5213 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chacl\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo audtctl -l | grep chacl - --a always,exit -F path=/usr/bin/chacl --F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng - -If the command does not return a line -that matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" -allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chacl\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chacl -F -perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, issue -the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the \"chacl\" command. + +Check the currently configured audit rules with the following command: + +$ sudo audtctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chacl\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238284 " diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index cfc3a74..35a28fa 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -44,6 +44,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218"] diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index fbf6800..26734e6 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -44,6 +44,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218"] diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index 6ae99b4..1da03fc 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -44,6 +44,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218"] diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index 8d5fbc8..8d0f737 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w passwd - --a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F -auid>=1000 -F auid!=-1 -F key=privileged-passwd - -If the command does not return a line -that matches the example or the line is commented out, this is a finding. - -Note: The \"key\" -allows for specifying an arbitrary identifier, and the string after it does not need to match -the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"passwd\" command. - -Add or update the following rule in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/passwd -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -To reload the rules -file, issue the following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w passwd + +-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-passwd + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"key\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"passwd\" command. + +Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238288 " diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index 52d6204..2a64b51 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the -\"unix_update\" command. - -Check the currently configured audit rules with the following -command: - -$ sudo auditctl -l | grep -w unix_update - --a always,exit -F -path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update - - -If the command does not return a line that matches the example or the line is commented out, -this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"unix_update\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/sbin/unix_update -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update - -To reload the -rules file, issue the following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"unix_update\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w unix_update + +-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"unix_update\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238289 " diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index 292b947..517d33c 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w gpasswd - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-gpasswd - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example -output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"gpasswd\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/gpasswd -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd - -To reload the rules -file, issue the following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"gpasswd\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238290 " diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index 9dc2155..368d4e9 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w chage - --a always,exit -F path=/usr/bin/chage -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-chage - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example -output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"chage\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chage -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage - -To reload the rules -file, issue the following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"chage\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238291 " diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index 21062bf..e80a6bd 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w usermod - --a always,exit -F path=/usr/sbin/usermod -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-usermod - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example -output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"usermod\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/sbin/usermod -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod - -To reload the rules -file, issue the following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w usermod + +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"usermod\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238292 " diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index 549dade..65b59ba 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -15,37 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w crontab - --a always,exit -F path=/usr/bin/crontab -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-crontab - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example -output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"crontab\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/crontab -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab - -To reload the rules -file, issue the following command: - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w crontab + +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"crontab\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238293 " diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index c794420..4f29e8a 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -15,39 +15,28 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the -\"pam_timestamp_check\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep -w pam_timestamp_check - --a always,exit -F -path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-pam_timestamp_check - -If the command does not return a line that matches the -example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying -an arbitrary identifier, and the string after it does not need to match the example output -above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"pam_timestamp_check\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k -privileged-pam_timestamp_check - -To reload the rules file, issue the following command: - - + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"pam_timestamp_check\" command. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w pam_timestamp_check + +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"pam_timestamp_check\" command. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag gid: "V-238294 " diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index e71aca6..59debc8 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -27,49 +27,34 @@ syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible." - desc "check", "Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls. - - -Check the currently configured audit rules with the following command: - -$ sudo auditctl -l -| grep init_module - --a always,exit -F arch=b32 -S init_module,finit_module -F -auid>=1000 -F auid!=-1 -k module_chng --a always,exit -F arch=b64 -S -init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng - -If the command -does not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines -are commented out, this is a finding. - -Notes: -For 32-bit architectures, only the 32-bit -specific output lines from the commands are required. -The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"init_module\" and \"finit_module\" syscalls. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F arch=b32 -S -init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng --a -always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F -auid!=4294967295 -k module_chng - -Notes: For 32-bit architectures, only the 32-bit -specific entries are required. - -To reload the rules file, issue the following command: - -$ -sudo augenrules --load" + desc "check", "Verify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep init_module + +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng + +If the command does not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" syscalls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To reload the rules file, issue the following command: + +$ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000064-GPOS-00033", "SRG-OS-000471-GPOS-00216"] diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index f027da9..b5514b0 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -15,47 +15,34 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter)." - desc "check", "Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"delete_module\" syscall. - -Check the -currently configured audit rules with the following command: - -$ sudo auditctl -l | grep -w -delete_module - --a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 --k module_chng --a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k -module_chng - -If the command does not return a line that matches the example or the line is -commented out, this is a finding. - -Notes: -- For 32-bit architectures, only the 32-bit -specific output lines from the commands are required. -- The \"-k\" allows for specifying an -arbitrary identifier, and the string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"delete_module\" syscall. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F arch=b32 -S delete_module -F -auid>=1000 -F auid!=4294967295 -k module_chng --a always,exit -F arch=b64 -S -delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng - -Notes: For 32-bit -architectures, only the 32-bit specific entries are required. - -To reload the rules file, -issue the following command: - + desc "check", "Verify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the \"delete_module\" syscall. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w delete_module + +-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -k module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k module_chng + +If the command does not return a line that matches the example or the line is commented out, this is a finding. + +Notes: +- For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +- The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"delete_module\" syscall. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000064-GPOS-00033 " tag satisfies: ["SRG-OS-000477-GPOS-00222"] diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 3595bd4..37c1d50 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -97,11 +97,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000122-GPOS-00063 " tag satisfies: ["SRG-OS-000122-GPOS-00063", "SRG-OS-000037-GPOS-00015", "SRG-OS-000038-GPOS-00016", "SRG-OS-000039-GPOS-00017", "SRG-OS-000040-GPOS-00018", "SRG-OS-000041-GPOS-00019", "SRG-OS-000042-GPOS-00020", "SRG-OS-000042-GPOS-00021", "SRG-OS-000051-GPOS-00024", "SRG-OS-000054-GPOS-00025", "SRG-OS-000062-GPOS-00031", "SRG-OS-000337-GPOS-00129", "SRG-OS-000348-GPOS-00136", "SRG-OS-000349-GPOS-00137", "SRG-OS-000350-GPOS-00138", "SRG-OS-000351-GPOS-00139", "SRG-OS-000352-GPOS-00140", "SRG-OS-000353-GPOS-00141", "SRG-OS-000354-GPOS-00142", "SRG-OS-000475-GPOS-00220"] tag gid: "V-238298 " - tag rid: "SV-238298r853421_rule " + tag rid: "SV-238298r654069_rule" tag stig_id: "UBTU-20-010182 " tag fix_id: "F-41467r654068_fix " tag cci: ["CCI-000130", "CCI-000131", "CCI-000132", "CCI-000133", "CCI-000134", "CCI-000135", "CCI-000154", "CCI-000158", "CCI-000169", "CCI-000172", "CCI-001875", "CCI-001876", "CCI-001877", "CCI-001878", "CCI-001879", "CCI-001880", "CCI-001881", "CCI-001882", "CCI-001914"] diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb index ee92a56..56b9361 100644 --- a/controls/SV-238299.rb +++ b/controls/SV-238299.rb @@ -31,6 +31,7 @@ $ sudo update-grub" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000254-GPOS-00095 " tag gid: "V-238299 " diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index ddc497f..0c160e8 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -54,6 +54,7 @@ Replace \"[audit_tool]\" with the audit tool that does not have the correct permissions." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000256-GPOS-00097 " tag satisfies: ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"] diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index b19ff7a..c8d0835 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -54,6 +54,7 @@ Replace \"[audit_tool]\" with each audit tool not owned by root." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000256-GPOS-00097 " tag satisfies: ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"] diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index dbd1043..228ef55 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -55,6 +55,7 @@ Replace \"[audit_tool]\" with each audit tool not group-owned by root." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000256-GPOS-00097 " tag satisfies: ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"] diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index 771b6c6..faac00b 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -78,6 +78,7 @@ /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000278-GPOS-00108 " tag gid: "V-238303 " diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 5490024..07a99cb 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -67,11 +67,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000326-GPOS-00126 " tag satisfies: ["SRG-OS-000326-GPOS-00126", "SRG-OS-000327-GPOS-00127"] tag gid: "V-238304 " - tag rid: "SV-238304r853422_rule " + tag rid: "SV-238304r654087_rule" tag stig_id: "UBTU-20-010211 " tag fix_id: "F-41473r654086_fix " tag cci: ["CCI-002233", "CCI-002234"] diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index f07ea80..adef19e 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -48,31 +48,23 @@ If the audit record partition is not allocated for sufficient storage capacity, this is a finding." - desc "fix", "Allocate enough storage capacity for at least one week's worth of audit records when audit -records are not immediately sent to a central audit record storage facility. - -If audit -records are stored on a partition made specifically for audit records, use the \"parted\" -program to resize the partition with sufficient space to contain one week's worth of audit -records. - -If audit records are not stored on a partition made specifically for audit -records, a new partition with sufficient amount of space will need be to be created. - -Set the -auditd server to point to the mount point where the audit records must be located: - -$ sudo sed --i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@' -/etc/audit/auditd.conf - -where <log mountpoint> is the aforementioned mount -point." + desc "fix", "Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. + +If audit records are stored on a partition made specifically for audit records, use the \"parted\" program to resize the partition with sufficient space to contain one week's worth of audit records. + +If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. + +Set the auditd server to point to the mount point where the audit records must be located: + +$ sudo sed -i -E 's@^(log_file\\s*=\\s*).*@\\1 /audit.log@' /etc/audit/auditd.conf + +where is the aforementioned mount point." impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000341-GPOS-00132 " tag gid: "V-238305 " - tag rid: "SV-238305r853423_rule " + tag rid: "SV-238305r654090_rule" tag stig_id: "UBTU-20-010215 " tag fix_id: "F-41474r654089_fix " tag cci: ["CCI-001849"] diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 243130f..8393f8a 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -43,40 +43,32 @@ If the \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding." - desc "fix", "Configure the audit event multiplexor to offload audit records to a different system or -storage media from the system being audited. - -Install the audisp-remote plugin: - -$ sudo -apt-get install audispd-plugins -y - -Set the audisp-remote plugin as active by editing the -\"/etc/audisp/plugins.d/au-remote.conf\" file: - -$ sudo sed -i -E -'s/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf - -Set the -address of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file: - -$ -sudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/' -/etc/audisp/audisp-remote.conf - -where <remote addr> must be substituted by the -address of the remote server receiving the audit log. - -Make the audit service reload its -configuration files: - + desc "fix", "Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited. + +Install the audisp-remote plugin: + +$ sudo apt-get install audispd-plugins -y + +Set the audisp-remote plugin as active by editing the \"/etc/audisp/plugins.d/au-remote.conf\" file: + +$ sudo sed -i -E 's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf + +Set the address of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file: + +$ sudo sed -i -E 's/(remote_server\\s*=).*/\\1 /' /etc/audisp/audisp-remote.conf + +where must be substituted by the address of the remote server receiving the audit log. + +Make the audit service reload its configuration files: + $ sudo systemctl restart auditd.service" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000342-GPOS-00133 " tag satisfies: ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] tag gid: "V-238306 " - tag rid: "SV-238306r853424_rule " + tag rid: "SV-238306r654093_rule" tag stig_id: "UBTU-20-010216 " tag fix_id: "F-41475r654092_fix " tag cci: ["CCI-001851"] diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 4382fe6..4c1660d 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -63,10 +63,11 @@ Edit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at least 25% of the repository maximum audit record storage capacity." impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000343-GPOS-00134 " tag gid: "V-238307 " - tag rid: "SV-238307r853425_rule " + tag rid: "SV-238307r654096_rule" tag stig_id: "UBTU-20-010217 " tag fix_id: "F-41476r654095_fix " tag cci: ["CCI-001855"] diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb index 704fe77..996e5f0 100644 --- a/controls/SV-238308.rb +++ b/controls/SV-238308.rb @@ -26,10 +26,11 @@ $ sudo timedatectl set-timezone [ZONE]" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000359-GPOS-00146 " tag gid: "V-238308 " - tag rid: "SV-238308r853426_rule " + tag rid: "SV-238308r654099_rule" tag stig_id: "UBTU-20-010230 " tag fix_id: "F-41477r654098_fix " tag cci: ["CCI-001890"] diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index 10e97b7..7e55881 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -70,11 +70,12 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000392-GPOS-00172 " tag satisfies: ["SRG-OS-000392-GPOS-00172", "SRG-OS-000471-GPOS-00215"] tag gid: "V-238309 " - tag rid: "SV-238309r853427_rule " + tag rid: "SV-238309r654102_rule" tag stig_id: "UBTU-20-010244 " tag fix_id: "F-41478r654101_fix " tag cci: ["CCI-000172", "CCI-002884"] diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 203f028..5795891 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -27,50 +27,34 @@ syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible." - desc "check", "Verify the Ubuntu operating system generates audit records for any -successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" -system calls. - -Check the currently configured audit rules with the following command: - -$ -sudo auditctl -l | grep 'unlink\\|rename\\|rmdir' - --a always,exit -F arch=b64 -S -unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete --a -always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F -auid!=-1 -F key=delete - -If the command does not return audit rules for the \"unlink\", -\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this -is a finding. - -Notes: -For 32-bit architectures, only the 32-bit specific output lines from -the commands are required. -The \"key\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above." - desc "fix", "Configure the audit system to generate audit events for any successful/unsuccessful use of -\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. - -Add or update the -following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F -auid!=4294967295 -k delete --a always,exit -F arch=b32 -S -unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete - - -Notes: For 32-bit architectures, only the 32-bit specific entries are required. - -To -reload the rules file, issue the following command: - + desc "check", "Verify the Ubuntu operating system generates audit records for any successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l | grep 'unlink\\|rename\\|rmdir' + +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete + +If the command does not return audit rules for the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the commands are required. +The \"key\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above." + desc "fix", "Configure the audit system to generate audit events for any successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To reload the rules file, issue the following command: + $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000468-GPOS-00212 " tag gid: "V-238310 " diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index c919ced..82f86c7 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -43,6 +43,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000472-GPOS-00217 " tag gid: "V-238315 " diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index d0bd22e..d10a67a 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -43,6 +43,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000472-GPOS-00217 " tag gid: "V-238316 " diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index 979aefa..5a7a598 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -43,6 +43,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000472-GPOS-00217 " tag gid: "V-238317 " diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index e0f8383..ab3ee9a 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -41,6 +41,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000477-GPOS-00222 " tag gid: "V-238318 " diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index 7f0c3bd..8a57fc3 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -44,6 +44,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000477-GPOS-00222 " tag gid: "V-238319 " diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index 91cd744..8ac5b55 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -44,6 +44,7 @@ $ sudo augenrules --load" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000477-GPOS-00222 " tag gid: "V-238320 " diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index 7c455dc..fbd3d65 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -34,10 +34,11 @@ The script must be located in the \"/etc/cron.weekly\" directory." impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000479-GPOS-00224 " tag gid: "V-238321 " - tag rid: "SV-238321r853428_rule " + tag rid: "SV-238321r654138_rule" tag stig_id: "UBTU-20-010300 " tag fix_id: "F-41490r654137_fix " tag cci: ["CCI-001851"] diff --git a/controls/SV-238323.rb b/controls/SV-238323.rb index 10449cf..f64e0d3 100644 --- a/controls/SV-238323.rb +++ b/controls/SV-238323.rb @@ -40,6 +40,7 @@ * hard maxlogins 10" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000027-GPOS-00008 " tag gid: "V-238323 " diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb index a094797..85ea547 100644 --- a/controls/SV-238324.rb +++ b/controls/SV-238324.rb @@ -55,6 +55,7 @@ $ sudo systemctl restart rsyslog.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000032-GPOS-00013 " tag gid: "V-238324 " diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index eedff3f..8f35943 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -28,6 +28,7 @@ ENCRYPT_METHOD SHA512" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000120-GPOS-00061 " tag gid: "V-238325 " diff --git a/controls/SV-238326.rb b/controls/SV-238326.rb index 27c2521..41b289d 100644 --- a/controls/SV-238326.rb +++ b/controls/SV-238326.rb @@ -17,6 +17,7 @@ $ sudo apt-get remove telnetd" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000074-GPOS-00042 " tag gid: "V-238326 " diff --git a/controls/SV-238327.rb b/controls/SV-238327.rb index a75025e..59d0ae2 100644 --- a/controls/SV-238327.rb +++ b/controls/SV-238327.rb @@ -40,6 +40,7 @@ $ sudo apt-get remove rsh-server" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000095-GPOS-00049 " tag gid: "V-238327 " diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index b96054f..0750320 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -72,20 +72,17 @@ If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding." - desc "fix", "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: - - -$ sudo ufw allow <direction> <port/protocol/service> - -where the -direction is \"in\" or \"out\" and the port is the one corresponding to the protocol or service -allowed. - -To deny access to ports, protocols, or services, use: - -$ sudo ufw deny -<direction> <port/protocol/service>" + desc "fix", "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: + +$ sudo ufw allow + +where the direction is \"in\" or \"out\" and the port is the one corresponding to the protocol or service allowed. + +To deny access to ports, protocols, or services, use: + +$ sudo ufw deny " impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000096-GPOS-00050 " tag gid: "V-238328 " diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb index 1526e4c..1964460 100644 --- a/controls/SV-238329.rb +++ b/controls/SV-238329.rb @@ -62,6 +62,7 @@ $ sudo passwd -l root" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000109-GPOS-00056 " tag gid: "V-238329 " diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb index bc534a5..569ca9a 100644 --- a/controls/SV-238330.rb +++ b/controls/SV-238330.rb @@ -15,19 +15,15 @@ Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity." - desc "check", "Verify the account identifiers (individuals, groups, roles, and devices) are disabled -after 35 days of inactivity with the following command: - -Check the account inactivity value -by performing the following command: - -$ sudo grep INACTIVE /etc/default/useradd - - -INACTIVE=35 - -If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, -this is a finding." + desc "check", "Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: + +Check the account inactivity value by performing the following command: + +$ sudo grep INACTIVE /etc/default/useradd + +INACTIVE=35 + +If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, this is a finding." desc "fix", "Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity after the password expiration. @@ -40,6 +36,7 @@ but a lower value is acceptable. The value \"0\" will disable the account immediately after the password expires." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000118-GPOS-00060 " tag gid: "V-238330 " diff --git a/controls/SV-238331.rb b/controls/SV-238331.rb index ffbce84..fd461f2 100644 --- a/controls/SV-238331.rb +++ b/controls/SV-238331.rb @@ -43,6 +43,7 @@ $ sudo chage -E $(date -d \"+3 days\" +%F) account_name" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000123-GPOS-00064 " tag gid: "V-238331 " diff --git a/controls/SV-238332.rb b/controls/SV-238332.rb index d2a4f82..080388c 100644 --- a/controls/SV-238332.rb +++ b/controls/SV-238332.rb @@ -52,6 +52,7 @@ $ sudo chmod +t [Public Directory]" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000138-GPOS-00069 " tag gid: "V-238332 " diff --git a/controls/SV-238333.rb b/controls/SV-238333.rb index 191e6a1..88254c9 100644 --- a/controls/SV-238333.rb +++ b/controls/SV-238333.rb @@ -46,6 +46,7 @@ net.ipv4.tcp_syncookies = 1" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000142-GPOS-00071 " tag gid: "V-238333 " diff --git a/controls/SV-238334.rb b/controls/SV-238334.rb index 651a77e..6ffb335 100644 --- a/controls/SV-238334.rb +++ b/controls/SV-238334.rb @@ -28,6 +28,7 @@ If kernel core dumps are required, document the need with the ISSO." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000184-GPOS-00078 " tag gid: "V-238334 " diff --git a/controls/SV-238335.rb b/controls/SV-238335.rb index 2b7a34d..2727b39 100644 --- a/controls/SV-238335.rb +++ b/controls/SV-238335.rb @@ -66,6 +66,7 @@ Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000185-GPOS-00079 " tag gid: "V-238335 " diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb index 92412ff..da6df5d 100644 --- a/controls/SV-238336.rb +++ b/controls/SV-238336.rb @@ -15,39 +15,34 @@ To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement." - desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. -However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and -running. - -Check that the \"mcafeetp\" package has been installed: - -# dpkg -l | grep mcafeetp - - -If the \"mcafeetp\" package is not installed, this finding will remain as a CAT II. - -Check that -the daemon is running: - -# /opt/McAfee/ens/tp/init/mfetpd-control.sh status - -If the -daemon is not running, this finding will remain as a CAT II." - desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity -level can be mitigated to a CAT III if the ENSLTP module is installed and running. - -Configure -the Ubuntu operating system to use ENSLTP. - -Install the \"mcafeetp\" package via the ePO -server." + desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. + +Check that the \"mfetp\" package has been installed: + +# dpkg -l | grep mfetp + +If the \"mfetp\" package is not installed, this finding will remain as a CAT II. + +Check that the daemon is running: + +# /opt/McAfee/ens/tp/init/mfetpd-control.sh status + +If the daemon is not running, this finding will remain as a CAT II." + desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. + +Configure the Ubuntu operating system to use ENSLTP. + +Install the \"mfetp\" package: + +# sudo apt-get install mfetp" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000191-GPOS-00080 " tag gid: "V-238336 " - tag rid: "SV-238336r858538_rule " + tag rid: "SV-238336r654183_rule" tag stig_id: "UBTU-20-010415 " - tag fix_id: "F-41505r858537_fix " + tag fix_id: "F-41505r654182_fix" tag cci: ["CCI-001233"] tag nist: ["SI-2 (2)"] diff --git a/controls/SV-238337.rb b/controls/SV-238337.rb index b16eaca..749f73a 100644 --- a/controls/SV-238337.rb +++ b/controls/SV-238337.rb @@ -40,6 +40,7 @@ $ sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000205-GPOS-00083 " tag gid: "V-238337 " diff --git a/controls/SV-238338.rb b/controls/SV-238338.rb index 24d6530..40797b4 100644 --- a/controls/SV-238338.rb +++ b/controls/SV-238338.rb @@ -34,6 +34,7 @@ $ sudo chgrp syslog /var/log" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000206-GPOS-00084 " tag gid: "V-238338 " diff --git a/controls/SV-238339.rb b/controls/SV-238339.rb index 6f287ec..d81644d 100644 --- a/controls/SV-238339.rb +++ b/controls/SV-238339.rb @@ -33,6 +33,7 @@ $ sudo chown root /var/log" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000206-GPOS-00084 " tag gid: "V-238339 " diff --git a/controls/SV-238340.rb b/controls/SV-238340.rb index f75b825..746c7b6 100644 --- a/controls/SV-238340.rb +++ b/controls/SV-238340.rb @@ -35,6 +35,7 @@ $ sudo chmod 0750 /var/log" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000206-GPOS-00084 " tag gid: "V-238340 " diff --git a/controls/SV-238341.rb b/controls/SV-238341.rb index 53bdf12..a087613 100644 --- a/controls/SV-238341.rb +++ b/controls/SV-238341.rb @@ -35,6 +35,7 @@ $ sudo chgrp adm /var/log/syslog" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000206-GPOS-00084 " tag gid: "V-238341 " diff --git a/controls/SV-238342.rb b/controls/SV-238342.rb index 616f8c7..83ff9e7 100644 --- a/controls/SV-238342.rb +++ b/controls/SV-238342.rb @@ -34,6 +34,7 @@ $ sudo chown syslog /var/log/syslog" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000206-GPOS-00084 " tag gid: "V-238342 " diff --git a/controls/SV-238343.rb b/controls/SV-238343.rb index 3605168..181525e 100644 --- a/controls/SV-238343.rb +++ b/controls/SV-238343.rb @@ -36,6 +36,7 @@ $ sudo chmod 0640 /var/log/syslog" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000206-GPOS-00084 " tag gid: "V-238343 " diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb index 61fd30d..d623089 100644 --- a/controls/SV-238344.rb +++ b/controls/SV-238344.rb @@ -52,6 +52,7 @@ $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000258-GPOS-00099 " tag gid: "V-238344 " diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb index 1f70ba5..ca005a7 100644 --- a/controls/SV-238345.rb +++ b/controls/SV-238345.rb @@ -51,6 +51,7 @@ $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000258-GPOS-00099 " tag gid: "V-238345 " diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb index 473e21a..73a25af 100644 --- a/controls/SV-238346.rb +++ b/controls/SV-238346.rb @@ -52,6 +52,7 @@ $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000258-GPOS-00099 " tag gid: "V-238346 " diff --git a/controls/SV-238347.rb b/controls/SV-238347.rb index 09156e5..9e8e3aa 100644 --- a/controls/SV-238347.rb +++ b/controls/SV-238347.rb @@ -35,6 +35,7 @@ $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238347 " diff --git a/controls/SV-238348.rb b/controls/SV-238348.rb index f2af5b6..721b861 100644 --- a/controls/SV-238348.rb +++ b/controls/SV-238348.rb @@ -34,6 +34,7 @@ $ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238348 " diff --git a/controls/SV-238349.rb b/controls/SV-238349.rb index 6361b41..7526e63 100644 --- a/controls/SV-238349.rb +++ b/controls/SV-238349.rb @@ -34,6 +34,7 @@ $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238349 " diff --git a/controls/SV-238350.rb b/controls/SV-238350.rb index 4de5820..b0507c3 100644 --- a/controls/SV-238350.rb +++ b/controls/SV-238350.rb @@ -34,6 +34,7 @@ $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238350 " diff --git a/controls/SV-238351.rb b/controls/SV-238351.rb index c0df0b7..cf08943 100644 --- a/controls/SV-238351.rb +++ b/controls/SV-238351.rb @@ -35,6 +35,7 @@ $ sudo chgrp root [FILE]" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238351 " diff --git a/controls/SV-238352.rb b/controls/SV-238352.rb index c596f09..4da949b 100644 --- a/controls/SV-238352.rb +++ b/controls/SV-238352.rb @@ -34,6 +34,7 @@ $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238352 " diff --git a/controls/SV-238353.rb b/controls/SV-238353.rb index 945ccda..3cd82d0 100644 --- a/controls/SV-238353.rb +++ b/controls/SV-238353.rb @@ -61,6 +61,7 @@ $ sudo systemctl enable --now rsyslog" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000269-GPOS-00103 " tag gid: "V-238353 " diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb index ba8bf11..e56eb11 100644 --- a/controls/SV-238354.rb +++ b/controls/SV-238354.rb @@ -48,10 +48,11 @@ $ sudo apt-get install ufw" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000297-GPOS-00115 " tag gid: "V-238354 " - tag rid: "SV-238354r853429_rule " + tag rid: "SV-238354r654237_rule" tag stig_id: "UBTU-20-010433 " tag fix_id: "F-41523r654236_fix " tag cci: ["CCI-002314"] diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb index 884285e..cc3540c 100644 --- a/controls/SV-238355.rb +++ b/controls/SV-238355.rb @@ -56,10 +56,11 @@ $ sudo systemctl enable --now ufw.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000297-GPOS-00115 " tag gid: "V-238355 " - tag rid: "SV-238355r853430_rule " + tag rid: "SV-238355r654240_rule" tag stig_id: "UBTU-20-010434 " tag fix_id: "F-41524r654239_fix " tag cci: ["CCI-002314"] diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index 7470c7b..4ed0194 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -73,10 +73,11 @@ $ sudo systemctl restart chrony.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000355-GPOS-00143 " tag gid: "V-238356 " - tag rid: "SV-238356r853431_rule " + tag rid: "SV-238356r808492_rule" tag stig_id: "UBTU-20-010435 " tag fix_id: "F-41525r808491_fix " tag cci: ["CCI-001891"] diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 8673c63..156f7ea 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -56,10 +56,11 @@ $ sudo systemctl restart chrony.service" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000356-GPOS-00144 " tag gid: "V-238357 " - tag rid: "SV-238357r853432_rule " + tag rid: "SV-238357r654246_rule" tag stig_id: "UBTU-20-010436 " tag fix_id: "F-41526r654245_fix " tag cci: ["CCI-002046"] diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb index defdd9f..c865b56 100644 --- a/controls/SV-238358.rb +++ b/controls/SV-238358.rb @@ -42,10 +42,11 @@ Modify the \"SILENTREPORTS\" parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000363-GPOS-00150 " tag gid: "V-238358 " - tag rid: "SV-238358r853433_rule " + tag rid: "SV-238358r654249_rule" tag stig_id: "UBTU-20-010437 " tag fix_id: "F-41527r654248_fix " tag cci: ["CCI-001744"] diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index f18e113..4fbbf6d 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -60,10 +60,11 @@ APT::Get::AllowUnauthenticated \"false\";" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000366-GPOS-00153 " tag gid: "V-238359 " - tag rid: "SV-238359r853434_rule " + tag rid: "SV-238359r654319_rule" tag stig_id: "UBTU-20-010438 " tag fix_id: "F-41528r654251_fix " tag cci: ["CCI-001749"] diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb index ed25b41..7c97638 100644 --- a/controls/SV-238360.rb +++ b/controls/SV-238360.rb @@ -73,11 +73,12 @@ will be based on the actual system setup and organization and normally are on a per role basis. See the AppArmor documentation for more information on configuring profiles." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000368-GPOS-00154 " tag satisfies: ["SRG-OS-000368-GPOS-00154", "SRG-OS-000312-GPOS-00122", "SRG-OS-000312-GPOS-00123", "SRG-OS-000312-GPOS-00124", "SRG-OS-000324-GPOS-00125", "SRG-OS-000370-GPOS-00155"] tag gid: "V-238360 " - tag rid: "SV-238360r853435_rule " + tag rid: "SV-238360r654255_rule" tag stig_id: "UBTU-20-010439 " tag fix_id: "F-41529r654254_fix " tag cci: ["CCI-001764", "CCI-001774", "CCI-002165", "CCI-002235"] diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb index 67c378f..a11c0dd 100644 --- a/controls/SV-238361.rb +++ b/controls/SV-238361.rb @@ -35,10 +35,11 @@ $ sudo passwd -e [UserName]" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000380-GPOS-00165 " tag gid: "V-238361 " - tag rid: "SV-238361r853436_rule " + tag rid: "SV-238361r654258_rule" tag stig_id: "UBTU-20-010440 " tag fix_id: "F-41530r654257_fix " tag cci: ["CCI-002041"] diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 8e03e90..12195c3 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -29,10 +29,11 @@ file with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\" directory instead of the \"/etc/sssd/sssd.conf\" file." impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000383-GPOS-00166 " tag gid: "V-238362 " - tag rid: "SV-238362r853437_rule " + tag rid: "SV-238362r654261_rule" tag stig_id: "UBTU-20-010441 " tag fix_id: "F-41531r654260_fix " tag cci: ["CCI-002007"] diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 36bb954..14cdc5a 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -30,11 +30,12 @@ Advantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS." impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000396-GPOS-00176 " tag satisfies: ["SRG-OS-000396-GPOS-00176", "SRG-OS-000478-GPOS-00223"] tag gid: "V-238363 " - tag rid: "SV-238363r853438_rule " + tag rid: "SV-238363r654320_rule" tag stig_id: "UBTU-20-010442 " tag fix_id: "F-41532r654263_fix " tag cci: ["CCI-002450"] diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb index 1f5b777..f7d5efa 100644 --- a/controls/SV-238364.rb +++ b/controls/SV-238364.rb @@ -51,12 +51,13 @@ $ sudo update-ca-certificates" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000403-GPOS-00182 " tag gid: "V-238364 " - tag rid: "SV-238364r860824_rule " + tag rid: "SV-238364r832965_rule" tag stig_id: "UBTU-20-010443 " - tag fix_id: "F-41533r860823_fix " + tag fix_id: "F-41533r832964_fix" tag cci: ["CCI-002470"] tag nist: ["SC-23 (5)"] diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb index 3c1c10b..3a432c2 100644 --- a/controls/SV-238365.rb +++ b/controls/SV-238365.rb @@ -65,10 +65,11 @@ Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000404-GPOS-00183 " tag gid: "V-238365 " - tag rid: "SV-238365r853442_rule " + tag rid: "SV-238365r654270_rule" tag stig_id: "UBTU-20-010444 " tag fix_id: "F-41534r654269_fix " tag cci: ["CCI-002475"] diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb index cf23302..2d10d2d 100644 --- a/controls/SV-238366.rb +++ b/controls/SV-238366.rb @@ -65,10 +65,11 @@ Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000405-GPOS-00184 " tag gid: "V-238366 " - tag rid: "SV-238366r853443_rule " + tag rid: "SV-238366r654273_rule" tag stig_id: "UBTU-20-010445 " tag fix_id: "F-41535r654272_fix " tag cci: ["CCI-002476"] diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb index 2f0d7bf..ffac6ec 100644 --- a/controls/SV-238367.rb +++ b/controls/SV-238367.rb @@ -75,10 +75,11 @@ $ sudo ufw limit in on eth0" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000420-GPOS-00186 " tag gid: "V-238367 " - tag rid: "SV-238367r853444_rule " + tag rid: "SV-238367r654276_rule" tag stig_id: "UBTU-20-010446 " tag fix_id: "F-41536r654275_fix " tag cci: ["CCI-002385"] diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 6db0270..63474a6 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -39,10 +39,11 @@ \"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No Execution bit, set it to \"enable\"." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000433-GPOS-00192 " tag gid: "V-238368 " - tag rid: "SV-238368r853445_rule " + tag rid: "SV-238368r654279_rule" tag stig_id: "UBTU-20-010447 " tag fix_id: "F-41537r654278_fix " tag cci: ["CCI-002824"] diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb index 8bfc537..fd66056 100644 --- a/controls/SV-238369.rb +++ b/controls/SV-238369.rb @@ -53,10 +53,11 @@ $ sudo sysctl --system" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000433-GPOS-00193 " tag gid: "V-238369 " - tag rid: "SV-238369r853446_rule " + tag rid: "SV-238369r654282_rule" tag stig_id: "UBTU-20-010448 " tag fix_id: "F-41538r654281_fix " tag cci: ["CCI-002824"] diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index c5b5835..93d1a33 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -33,10 +33,11 @@ Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000437-GPOS-00194 " tag gid: "V-238370 " - tag rid: "SV-238370r853447_rule " + tag rid: "SV-238370r654285_rule" tag stig_id: "UBTU-20-010449 " tag fix_id: "F-41539r654284_fix " tag cci: ["CCI-002617"] diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb index fb9e779..a817115 100644 --- a/controls/SV-238371.rb +++ b/controls/SV-238371.rb @@ -42,10 +42,11 @@ $ sudo apt-get install aide" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000445-GPOS-00199 " tag gid: "V-238371 " - tag rid: "SV-238371r853448_rule " + tag rid: "SV-238371r654288_rule" tag stig_id: "UBTU-20-010450 " tag fix_id: "F-41540r654287_fix " tag cci: ["CCI-002696"] diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb index 330062f..623b681 100644 --- a/controls/SV-238372.rb +++ b/controls/SV-238372.rb @@ -40,10 +40,11 @@ Modify the \"SILENTREPORTS\" parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000447-GPOS-00201 " tag gid: "V-238372 " - tag rid: "SV-238372r853449_rule " + tag rid: "SV-238372r654318_rule" tag stig_id: "UBTU-20-010451 " tag fix_id: "F-41541r654290_fix " tag cci: ["CCI-002702"] diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index 6f5b9c0..be80860 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -37,14 +37,15 @@ session required pam_lastlog.so showfailed" impact 0.3 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238373 " - tag rid: "SV-238373r858539_rule " + tag rid: "SV-238373r654294_rule" tag stig_id: "UBTU-20-010453 " tag fix_id: "F-41542r654293_fix " - tag cci: ["CCI-000052"] - tag nist: ["AC-9"] + tag cci: ["CCI-000052", "CCI-000366"] + tag nist: ["AC-9", "CM-6 b"] describe command('grep pam_lastlog /etc/pam.d/login') do its('exit_status') { should eq 0 } diff --git a/controls/SV-238374.rb b/controls/SV-238374.rb index 6300e50..1768f28 100644 --- a/controls/SV-238374.rb +++ b/controls/SV-238374.rb @@ -30,6 +30,7 @@ $ sudo systemctl start ufw.service" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000480-GPOS-00232 " tag gid: "V-238374 " diff --git a/controls/SV-238376.rb b/controls/SV-238376.rb index 356f779..781e0fc 100644 --- a/controls/SV-238376.rb +++ b/controls/SV-238376.rb @@ -45,6 +45,7 @@ $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \\;" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238376 " diff --git a/controls/SV-238377.rb b/controls/SV-238377.rb index fa02cee..2d43222 100644 --- a/controls/SV-238377.rb +++ b/controls/SV-238377.rb @@ -45,6 +45,7 @@ $ sudo chown root [FILE]" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238377 " diff --git a/controls/SV-238378.rb b/controls/SV-238378.rb index 3b6ba05..dd1309a 100644 --- a/controls/SV-238378.rb +++ b/controls/SV-238378.rb @@ -46,6 +46,7 @@ $ sudo chgrp root [FILE]" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000259-GPOS-00100 " tag gid: "V-238378 " diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb index bd4e1b2..f441081 100644 --- a/controls/SV-238379.rb +++ b/controls/SV-238379.rb @@ -41,6 +41,7 @@ # dconf update" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238379 " diff --git a/controls/SV-238380.rb b/controls/SV-238380.rb index de35fbe..cd79ec1 100644 --- a/controls/SV-238380.rb +++ b/controls/SV-238380.rb @@ -36,6 +36,7 @@ $ sudo systemctl daemon-reload" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238380 " diff --git a/controls/SV-251503.rb b/controls/SV-251503.rb index 453a37a..dea4006 100644 --- a/controls/SV-251503.rb +++ b/controls/SV-251503.rb @@ -21,6 +21,7 @@ $ sudo passwd -l [username]" impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-251503 " diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index 8a4940f..87ee0ad 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -22,6 +22,7 @@ instances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with empty passwords." impact 0.7 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-251504 " diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index 4ad320e..9d67a5e 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -32,24 +32,21 @@ If the command does not return any output, or the line is commented out, this is a finding." - desc "fix", "Configure the Ubuntu operating system to disable using the USB storage kernel module. - + desc "fix", "Configure the Ubuntu operating system to disable using the USB storage kernel module. Create a file under \"/etc/modprobe.d\" to contain the following: -# sudo su -c \"echo -install usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\" +# sudo su -c \"echo install usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\" -Configure the -operating system to disable the ability to use USB mass storage devices. +Configure the operating system to disable the ability to use USB mass storage devices. -# sudo su -c \"echo -blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\"" +# sudo su -c \"echo blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\"" impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000378-GPOS-00163 " tag gid: "V-251505 " - tag rid: "SV-251505r853450_rule " + tag rid: "SV-251505r808512_rule" tag stig_id: "UBTU-20-010461 " tag fix_id: "F-54894r808511_fix " tag cci: ["CCI-001958"] diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index 9f960e7..822d279 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -55,41 +55,33 @@ If a wireless interface is configured and has not been documented and approved by the ISSO, this is a finding." - desc "fix", "List all the wireless interfaces with the following command: - -$ ls -L -d -/sys/class/net/*/wireless | xargs dirname | xargs basename - -For each interface, -configure the system to disable wireless network interfaces with the following command: - -$ -sudo ifdown <interface name> - -For each interface listed, find their respective -module with the following command: - -$ basename $(readlink -f -/sys/class/net/<interface name>/device/driver) - -where <interface name> -must be substituted by the actual interface name. - -Create a file in the \"/etc/modprobe.d\" -directory and for each module, add the following line: - -install <module name> -/bin/true - -For each module from the system, execute the following command to remove it: - -$ -sudo modprobe -r <module name>" + desc "fix", "List all the wireless interfaces with the following command: + +$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename + +For each interface, configure the system to disable wireless network interfaces with the following command: + +$ sudo ifdown + +For each interface listed, find their respective module with the following command: + +$ basename $(readlink -f /sys/class/net//device/driver) + +where must be substituted by the actual interface name. + +Create a file in the \"/etc/modprobe.d\" directory and for each module, add the following line: + +install /bin/true + +For each module from the system, execute the following command to remove it: + +$ sudo modprobe -r " impact 0.5 + ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "medium " tag gtitle: "SRG-OS-000481-GPOS-00481 " tag gid: "V-252704 " - tag rid: "SV-252704r854182_rule " + tag rid: "SV-252704r819057_rule" tag stig_id: "UBTU-20-010455 " tag fix_id: "F-56110r819056_fix " tag cci: ["CCI-002418"] From 7a7b203914795a715d50d569319b11705abaaad9 Mon Sep 17 00:00:00 2001 From: Emily Rodriguez Date: Fri, 2 Dec 2022 13:30:51 -0600 Subject: [PATCH 3/3] v1r6 Signed-off-by: Emily Rodriguez --- controls/SV-238207.rb | 2 +- controls/SV-238208.rb | 2 +- controls/SV-238210.rb | 39 ++++++++++++--------- controls/SV-238211.rb | 25 ++++++++------ controls/SV-238212.rb | 26 ++++++++------ controls/SV-238213.rb | 27 +++++++++------ controls/SV-238214.rb | 79 ++++++++++++++++++++++++++++--------------- controls/SV-238215.rb | 2 +- controls/SV-238216.rb | 21 +++++++----- controls/SV-238217.rb | 22 +++++++----- controls/SV-238218.rb | 24 ++++++++----- controls/SV-238219.rb | 21 +++++++----- controls/SV-238220.rb | 23 ++++++++----- controls/SV-238230.rb | 2 +- controls/SV-238231.rb | 2 +- controls/SV-238232.rb | 2 +- controls/SV-238233.rb | 2 +- controls/SV-238235.rb | 2 +- controls/SV-238236.rb | 2 +- controls/SV-238238.rb | 2 +- controls/SV-238239.rb | 2 +- controls/SV-238240.rb | 2 +- controls/SV-238241.rb | 2 +- controls/SV-238242.rb | 2 +- controls/SV-238298.rb | 2 +- controls/SV-238304.rb | 2 +- controls/SV-238305.rb | 2 +- controls/SV-238306.rb | 2 +- controls/SV-238307.rb | 2 +- controls/SV-238308.rb | 2 +- controls/SV-238309.rb | 2 +- controls/SV-238321.rb | 2 +- controls/SV-238336.rb | 50 +++++++++++++++------------ controls/SV-238354.rb | 2 +- controls/SV-238355.rb | 2 +- controls/SV-238356.rb | 2 +- controls/SV-238357.rb | 2 +- controls/SV-238358.rb | 2 +- controls/SV-238359.rb | 2 +- controls/SV-238360.rb | 2 +- controls/SV-238361.rb | 2 +- controls/SV-238362.rb | 2 +- controls/SV-238363.rb | 2 +- controls/SV-238364.rb | 4 +-- controls/SV-238365.rb | 2 +- controls/SV-238366.rb | 2 +- controls/SV-238367.rb | 2 +- controls/SV-238368.rb | 2 +- controls/SV-238369.rb | 2 +- controls/SV-238370.rb | 2 +- controls/SV-238371.rb | 2 +- controls/SV-238372.rb | 2 +- controls/SV-238373.rb | 6 ++-- controls/SV-251505.rb | 2 +- controls/SV-252704.rb | 2 +- 55 files changed, 267 insertions(+), 184 deletions(-) diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb index d634c25..a4e69a8 100644 --- a/controls/SV-238207.rb +++ b/controls/SV-238207.rb @@ -79,7 +79,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000279-GPOS-00109 " tag gid: "V-238207 " - tag rid: "SV-238207r653796_rule" + tag rid: "SV-238207r853404_rule " tag stig_id: "UBTU-20-010013 " tag fix_id: "F-41376r653795_fix " tag cci: ["CCI-002361"] diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb index 52f5cfa..a54db6d 100644 --- a/controls/SV-238208.rb +++ b/controls/SV-238208.rb @@ -27,7 +27,7 @@ tag gtitle: "SRG-OS-000373-GPOS-00156 " tag satisfies: ["SRG-OS-000373-GPOS-00156", "SRG-OS-000373-GPOS-00157"] tag gid: "V-238208 " - tag rid: "SV-238208r653799_rule" + tag rid: "SV-238208r853405_rule " tag stig_id: "UBTU-20-010014 " tag fix_id: "F-41377r653798_fix " tag cci: ["CCI-002038"] diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 4078a35..38a08cf 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -47,21 +47,28 @@ The DoD CAC with DoD-approved PKI is an example of multifactor authentication." - desc "check", "Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: - -$ dpkg -l | grep libpam-pkcs11 - -ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards - -If the \"libpam-pkcs11\" package is not installed, this is a finding. - -Verify the sshd daemon allows public key authentication with the following, - -$ grep ^Pubkeyauthentication /etc/ssh/sshd_config - -PubkeyAuthentication yes - -If this option is set to \"no\" or is missing, this is a finding." + desc "check", "Verify the Ubuntu operating system has the packages required for multifactor +authentication installed with the following commands: + +$ dpkg -l | grep libpam-pkcs11 + +ii +libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards + +If the +\"libpam-pkcs11\" package is not installed, this is a finding. + +Verify the sshd daemon allows +public key authentication with the following command: + +$ grep -r ^Pubkeyauthentication +/etc/ssh/sshd_config* + +PubkeyAuthentication yes + +If this option is set to \"no\" or is +missing, this is a finding. +If conflicting results are returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to use multifactor authentication for network access to accounts. @@ -78,7 +85,7 @@ tag gtitle: "SRG-OS-000105-GPOS-00052 " tag satisfies: ["SRG-OS-000105-GPOS-00052", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055"] tag gid: "V-238210 " - tag rid: "SV-238210r653805_rule" + tag rid: "SV-238210r858517_rule " tag stig_id: "UBTU-20-010033 " tag fix_id: "F-41379r653804_fix " tag cci: ["CCI-000765", "CCI-000766", "CCI-000767", "CCI-000768"] diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 719d1fe..fdc369b 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -19,15 +19,20 @@ attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric." - desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance. - -Verify that \"UsePAM\" is set to \"yes\" in \"/etc/ssh/sshd_config: - -$ grep ^UsePAM /etc/ssh/sshd_config - -UsePAM yes - -If \"UsePAM\" is not set to \"yes\", this is a finding." + desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the +establishment of nonlocal maintenance and diagnostic maintenance. + +Verify that \"UsePAM\" +is set to \"yes\" in \"/etc/ssh/sshd_config: + +$ grep -r ^UsePAM +/etc/ssh/sshd_config* + +UsePAM yes + +If \"UsePAM\" is not set to \"yes\", this is a finding. +If +conflicting results are returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. @@ -40,7 +45,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000125-GPOS-00065 " tag gid: "V-238211 " - tag rid: "SV-238211r653808_rule" + tag rid: "SV-238211r858519_rule " tag stig_id: "UBTU-20-010035 " tag fix_id: "F-41380r653807_fix " tag cci: ["CCI-000877"] diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb index 9632f90..957753c 100644 --- a/controls/SV-238212.rb +++ b/controls/SV-238212.rb @@ -41,15 +41,21 @@ This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance." - desc "check", "Verify that all network connections associated with SSH traffic automatically terminate after a period of inactivity. - -Verify the \"ClientAliveCountMax\" variable is set in the \"/etc/ssh/sshd_config\" file by performing the following command: - -$ sudo grep -i clientalivecountmax /etc/ssh/sshd_config - -ClientAliveCountMax 1 - -If \"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding." + desc "check", "Verify that all network connections associated with SSH traffic automatically terminate +after a period of inactivity. + +Verify the \"ClientAliveCountMax\" variable is set in the +\"/etc/ssh/sshd_config\" file by performing the following command: + +$ sudo grep -ir +clientalivecountmax /etc/ssh/sshd_config* + +ClientAliveCountMax 1 + +If +\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding. +If +conflicting results are returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions after a period of inactivity. @@ -68,7 +74,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000126-GPOS-00066 " tag gid: "V-238212 " - tag rid: "SV-238212r653811_rule" + tag rid: "SV-238212r858521_rule " tag stig_id: "UBTU-20-010036 " tag fix_id: "F-41381r653810_fix " tag cci: ["CCI-000879"] diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb index ab34c73..04450df 100644 --- a/controls/SV-238213.rb +++ b/controls/SV-238213.rb @@ -25,15 +25,22 @@ sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session." - desc "check", "Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. - -Verify the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command: - -$ sudo grep -i clientalive /etc/ssh/sshd_config - -ClientAliveInterval 600 - -If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding." + desc "check", "Verify that all network connections associated with SSH traffic are automatically +terminated at the end of the session or after 10 minutes of inactivity. + +Verify the +\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following +command: + +$ sudo grep -ir clientalive /etc/ssh/sshd_config* + +ClientAliveInterval +600 + +If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in +\"/etc/ssh/sshd_config\", or is commented out, this is a finding. +If conflicting results are +returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. @@ -52,7 +59,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000163-GPOS-00072 " tag gid: "V-238213 " - tag rid: "SV-238213r653814_rule" + tag rid: "SV-238213r858523_rule " tag stig_id: "UBTU-20-010037 " tag fix_id: "F-41382r653813_fix " tag cci: ["CCI-001133"] diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index 4f15bf1..648ddd0 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -95,33 +95,58 @@ \"I've read & consent to terms in IS user agreem't.\"" - desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via an SSH logon with the following command: - -$ grep -ir banner /etc/ssh/sshd_config* - + desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +Banner before granting access to the Ubuntu operating system via an SSH logon with the +following command: + +$ grep -ir banner /etc/ssh/sshd_config* + + /etc/ssh/sshd_config:Banner /etc/issue.net - -The command will return the banner option along with the name of the file that contains the SSH banner. If the line is commented out, this is a finding. - -Verify the specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: - -$ cat /etc/issue.net - -\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" - -If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding." + +The command will return the banner option +along with the name of the file that contains the SSH banner. If the line is commented out, this +is a finding. + +If conflicting results are returned, this is a finding. + +Verify the +specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: + + +$ cat /etc/issue.net + +\"You are accessing a U.S. Government (USG) Information System (IS) +that is provided for USG-authorized use only. + +By using this IS (which includes any device +attached to this IS), you consent to the following conditions: + +-The USG routinely +intercepts and monitors communications on this IS for purposes including, but not limited +to, penetration testing, COMSEC monitoring, network operations and defense, personnel +misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, +or data stored on, this IS are not private, are subject to routine monitoring, interception, +and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes +security measures (e.g., authentication and access controls) to protect USG +interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using +this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of +the content of privileged communications, or work product, related to personal +representation or services by attorneys, psychotherapists, or clergy, and their +assistants. Such communications and work product are private and confidential. See User +Agreement for details.\" + +If the banner text does not match the Standard Mandatory DoD Notice +and Consent Banner exactly, this is a finding." desc "fix", "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: @@ -172,7 +197,7 @@ tag gtitle: "SRG-OS-000228-GPOS-00088 " tag satisfies: ["SRG-OS-000228-GPOS-00088", "SRG-OS-000023-GPOS-00006"] tag gid: "V-238214 " - tag rid: "SV-238214r832938_rule" + tag rid: "SV-238214r858525_rule " tag stig_id: "UBTU-20-010038 " tag fix_id: "F-41383r653816_fix " tag cci: ["CCI-000048", "CCI-001384", "CCI-001385", "CCI-001386", "CCI-001387", "CCI-001388"] diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb index 6009210..f666f50 100644 --- a/controls/SV-238215.rb +++ b/controls/SV-238215.rb @@ -76,7 +76,7 @@ tag gtitle: "SRG-OS-000423-GPOS-00187 " tag satisfies: ["SRG-OS-000423-GPOS-00187", "SRG-OS-000425-GPOS-00189", "SRG-OS-000426-GPOS-00190"] tag gid: "V-238215 " - tag rid: "SV-238215r653820_rule" + tag rid: "SV-238215r853406_rule " tag stig_id: "UBTU-20-010042 " tag fix_id: "F-41384r653819_fix " tag cci: ["CCI-002418", "CCI-002420", "CCI-002422"] diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 2bcc1c2..24fb77d 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -43,13 +43,18 @@ protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes." - desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command: - -$ grep -i macs /etc/ssh/sshd_config - -MACs hmac-sha2-512,hmac-sha2-256 - -If any ciphers other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is commented out, this is a finding." + desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers +with the following command: + +$ grep -ir macs /etc/ssh/sshd_config* + +MACs +hmac-sha2-512,hmac-sha2-256 + +If any ciphers other than \"hmac-sha2-512\" or +\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is +commented out, this is a finding. +If conflicting results are returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers. @@ -70,7 +75,7 @@ tag gtitle: "SRG-OS-000424-GPOS-00188 " tag satisfies: ["SRG-OS-000424-GPOS-00188", "SRG-OS-000250-GPOS-00093", "SRG-OS-000393-GPOS-00173"] tag gid: "V-238216 " - tag rid: "SV-238216r654316_rule" + tag rid: "SV-238216r860820_rule " tag stig_id: "UBTU-20-010043 " tag fix_id: "F-41385r653822_fix " tag cci: ["CCI-001453", "CCI-002421", "CCI-002890"] diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index e7b7225..577523c 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -54,13 +54,19 @@ By specifying a cipher list with the order of ciphers being in a \"strongest to weakest\" orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections." - desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running the following command: - -$ grep -E 'Ciphers ' /etc/ssh/sshd_config - -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding." + desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running +the following command: + +$ grep -r 'Ciphers' /etc/ssh/sshd_config* + +Ciphers +aes256-ctr,aes192-ctr,aes128-ctr + +If any ciphers other than \"aes256-ctr\", +\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the +\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding. +If +conflicting results are returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only implement FIPS-approved algorithms. @@ -81,7 +87,7 @@ tag gtitle: "SRG-OS-000424-GPOS-00188 " tag satisfies: ["SRG-OS-000424-GPOS-00188", "SRG-OS-000033-GPOS-00014", "SRG-OS-000394-GPOS-00174"] tag gid: "V-238217 " - tag rid: "SV-238217r832940_rule" + tag rid: "SV-238217r860821_rule " tag stig_id: "UBTU-20-010044 " tag fix_id: "F-41386r653825_fix " tag cci: ["CCI-000068", "CCI-002421", "CCI-003123"] diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb index f408ffa..b046f66 100644 --- a/controls/SV-238218.rb +++ b/controls/SV-238218.rb @@ -4,14 +4,20 @@ operating system security." desc "default", "Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security." - desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: - -$ egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config - -PermitEmptyPasswords no -PermitUserEnvironment no - -If \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are missing completely, or are commented out, this is a finding." + desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: + +$ +egrep -r '(Permit(.*?)(Passwords|Environment))' +/etc/ssh/sshd_config + +PermitEmptyPasswords no +PermitUserEnvironment no + +If +\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are +missing completely, or are commented out, this is a finding. +If conflicting results are +returned, this is a finding." desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system. @@ -31,7 +37,7 @@ tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00229 " tag gid: "V-238218 " - tag rid: "SV-238218r653829_rule" + tag rid: "SV-238218r858531_rule " tag stig_id: "UBTU-20-010047 " tag fix_id: "F-41387r653828_fix " tag cci: ["CCI-000366"] diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb index de94ce5..0e82e74 100644 --- a/controls/SV-238219.rb +++ b/controls/SV-238219.rb @@ -29,13 +29,18 @@ If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs." - desc "check", "Verify that X11Forwarding is disabled with the following command: - -$ grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\" - -X11Forwarding no - -If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding." + desc "check", "Verify that X11Forwarding is disabled with the following command: + +$ grep -ir +x11forwarding /etc/ssh/sshd_config* | grep -v \"^#\" + +X11Forwarding no + +If the +\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System +Security Officer (ISSO) as an operational requirement or is missing, this is a finding. +If +conflicting results are returned, this is a finding." desc "fix", "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -52,7 +57,7 @@ tag severity: "high " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238219 " - tag rid: "SV-238219r653832_rule" + tag rid: "SV-238219r858533_rule " tag stig_id: "UBTU-20-010048 " tag fix_id: "F-41388r653831_fix " tag cci: ["CCI-000366"] diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb index 0b4c2db..99e68dc 100644 --- a/controls/SV-238220.rb +++ b/controls/SV-238220.rb @@ -11,14 +11,19 @@ default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display." - desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. - -Check the SSH X11UseLocalhost setting with the following command: - -$ sudo grep -i x11uselocalhost /etc/ssh/sshd_config -X11UseLocalhost yes - -If the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding." + desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. + +Check the +SSH X11UseLocalhost setting with the following command: + +$ sudo grep -ir x11uselocalhost +/etc/ssh/sshd_config* +X11UseLocalhost yes + +If the \"X11UseLocalhost\" keyword is set to +\"no\", is missing, or is commented out, this is a finding. +If conflicting results are +returned, this is a finding." desc "fix", "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Edit @@ -38,7 +43,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238220 " - tag rid: "SV-238220r653835_rule" + tag rid: "SV-238220r858535_rule " tag stig_id: "UBTU-20-010049 " tag fix_id: "F-41389r653834_fix " tag cci: ["CCI-000366"] diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index 487d537..a160d96 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -68,7 +68,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000375-GPOS-00160 " tag gid: "V-238230 " - tag rid: "SV-238230r653865_rule" + tag rid: "SV-238230r853410_rule " tag stig_id: "UBTU-20-010063 " tag fix_id: "F-41399r653864_fix " tag cci: ["CCI-001948"] diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb index 1062816..ac4bde2 100644 --- a/controls/SV-238231.rb +++ b/controls/SV-238231.rb @@ -39,7 +39,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000376-GPOS-00161 " tag gid: "V-238231 " - tag rid: "SV-238231r653868_rule" + tag rid: "SV-238231r853411_rule " tag stig_id: "UBTU-20-010064 " tag fix_id: "F-41400r653867_fix " tag cci: ["CCI-001953"] diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index 70cd898..b4ce824 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -39,7 +39,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000377-GPOS-00162 " tag gid: "V-238232 " - tag rid: "SV-238232r653871_rule" + tag rid: "SV-238232r853412_rule " tag stig_id: "UBTU-20-010065 " tag fix_id: "F-41401r653870_fix " tag cci: ["CCI-001954"] diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 0f00272..30cd2f2 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -37,7 +37,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000384-GPOS-00167 " tag gid: "V-238233 " - tag rid: "SV-238233r653874_rule" + tag rid: "SV-238233r853413_rule " tag stig_id: "UBTU-20-010066 " tag fix_id: "F-41402r653873_fix " tag cci: ["CCI-001991"] diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index e2cf1e0..b3954e6 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -67,7 +67,7 @@ tag gtitle: "SRG-OS-000329-GPOS-00128 " tag satisfies: ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"] tag gid: "V-238235 " - tag rid: "SV-238235r802383_rule" + tag rid: "SV-238235r853414_rule " tag stig_id: "UBTU-20-010072 " tag fix_id: "F-41404r802382_fix " tag cci: ["CCI-000044", "CCI-002238"] diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb index 8d9999e..3902b72 100644 --- a/controls/SV-238236.rb +++ b/controls/SV-238236.rb @@ -74,7 +74,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000446-GPOS-00200 " tag gid: "V-238236 " - tag rid: "SV-238236r653883_rule" + tag rid: "SV-238236r853415_rule " tag stig_id: "UBTU-20-010074 " tag fix_id: "F-41405r653882_fix " tag cci: ["CCI-002699"] diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index cae33cf..7325a71 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -53,7 +53,7 @@ tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000463-GPOS-00207", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238238 " - tag rid: "SV-238238r653889_rule" + tag rid: "SV-238238r853416_rule " tag stig_id: "UBTU-20-010100 " tag fix_id: "F-41407r653888_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index 7a904eb..b753c30 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -53,7 +53,7 @@ tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238239 " - tag rid: "SV-238239r653892_rule" + tag rid: "SV-238239r853417_rule " tag stig_id: "UBTU-20-010101 " tag fix_id: "F-41408r653891_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index edfc70b..e936886 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -53,7 +53,7 @@ tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238240 " - tag rid: "SV-238240r653895_rule" + tag rid: "SV-238240r853418_rule " tag stig_id: "UBTU-20-010102 " tag fix_id: "F-41409r653894_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index 43227f4..dad0a8b 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -53,7 +53,7 @@ tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238241 " - tag rid: "SV-238241r653898_rule" + tag rid: "SV-238241r853419_rule " tag stig_id: "UBTU-20-010103 " tag fix_id: "F-41410r653897_fix " tag cci: ["CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index 7453e7b..8073101 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -53,7 +53,7 @@ tag gtitle: "SRG-OS-000004-GPOS-00004 " tag satisfies: ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000458-GPOS-00203", "SRG-OS-000476-GPOS-00221"] tag gid: "V-238242 " - tag rid: "SV-238242r653901_rule" + tag rid: "SV-238242r853420_rule " tag stig_id: "UBTU-20-010104 " tag fix_id: "F-41411r653900_fix " tag cci: ["CCI-000018", "CCI-000172", "CCI-001403", "CCI-001404", "CCI-001405", "CCI-002130"] diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 37c1d50..04dafa3 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -102,7 +102,7 @@ tag gtitle: "SRG-OS-000122-GPOS-00063 " tag satisfies: ["SRG-OS-000122-GPOS-00063", "SRG-OS-000037-GPOS-00015", "SRG-OS-000038-GPOS-00016", "SRG-OS-000039-GPOS-00017", "SRG-OS-000040-GPOS-00018", "SRG-OS-000041-GPOS-00019", "SRG-OS-000042-GPOS-00020", "SRG-OS-000042-GPOS-00021", "SRG-OS-000051-GPOS-00024", "SRG-OS-000054-GPOS-00025", "SRG-OS-000062-GPOS-00031", "SRG-OS-000337-GPOS-00129", "SRG-OS-000348-GPOS-00136", "SRG-OS-000349-GPOS-00137", "SRG-OS-000350-GPOS-00138", "SRG-OS-000351-GPOS-00139", "SRG-OS-000352-GPOS-00140", "SRG-OS-000353-GPOS-00141", "SRG-OS-000354-GPOS-00142", "SRG-OS-000475-GPOS-00220"] tag gid: "V-238298 " - tag rid: "SV-238298r654069_rule" + tag rid: "SV-238298r853421_rule " tag stig_id: "UBTU-20-010182 " tag fix_id: "F-41467r654068_fix " tag cci: ["CCI-000130", "CCI-000131", "CCI-000132", "CCI-000133", "CCI-000134", "CCI-000135", "CCI-000154", "CCI-000158", "CCI-000169", "CCI-000172", "CCI-001875", "CCI-001876", "CCI-001877", "CCI-001878", "CCI-001879", "CCI-001880", "CCI-001881", "CCI-001882", "CCI-001914"] diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 07a99cb..ec0756d 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -72,7 +72,7 @@ tag gtitle: "SRG-OS-000326-GPOS-00126 " tag satisfies: ["SRG-OS-000326-GPOS-00126", "SRG-OS-000327-GPOS-00127"] tag gid: "V-238304 " - tag rid: "SV-238304r654087_rule" + tag rid: "SV-238304r853422_rule " tag stig_id: "UBTU-20-010211 " tag fix_id: "F-41473r654086_fix " tag cci: ["CCI-002233", "CCI-002234"] diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index adef19e..57568d2 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -64,7 +64,7 @@ tag severity: "low " tag gtitle: "SRG-OS-000341-GPOS-00132 " tag gid: "V-238305 " - tag rid: "SV-238305r654090_rule" + tag rid: "SV-238305r853423_rule " tag stig_id: "UBTU-20-010215 " tag fix_id: "F-41474r654089_fix " tag cci: ["CCI-001849"] diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 8393f8a..d62558b 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -68,7 +68,7 @@ tag gtitle: "SRG-OS-000342-GPOS-00133 " tag satisfies: ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] tag gid: "V-238306 " - tag rid: "SV-238306r654093_rule" + tag rid: "SV-238306r853424_rule " tag stig_id: "UBTU-20-010216 " tag fix_id: "F-41475r654092_fix " tag cci: ["CCI-001851"] diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 4c1660d..c9cf3db 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -67,7 +67,7 @@ tag severity: "low " tag gtitle: "SRG-OS-000343-GPOS-00134 " tag gid: "V-238307 " - tag rid: "SV-238307r654096_rule" + tag rid: "SV-238307r853425_rule " tag stig_id: "UBTU-20-010217 " tag fix_id: "F-41476r654095_fix " tag cci: ["CCI-001855"] diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb index 996e5f0..c9f778d 100644 --- a/controls/SV-238308.rb +++ b/controls/SV-238308.rb @@ -30,7 +30,7 @@ tag severity: "low " tag gtitle: "SRG-OS-000359-GPOS-00146 " tag gid: "V-238308 " - tag rid: "SV-238308r654099_rule" + tag rid: "SV-238308r853426_rule " tag stig_id: "UBTU-20-010230 " tag fix_id: "F-41477r654098_fix " tag cci: ["CCI-001890"] diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index 7e55881..1b40041 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -75,7 +75,7 @@ tag gtitle: "SRG-OS-000392-GPOS-00172 " tag satisfies: ["SRG-OS-000392-GPOS-00172", "SRG-OS-000471-GPOS-00215"] tag gid: "V-238309 " - tag rid: "SV-238309r654102_rule" + tag rid: "SV-238309r853427_rule " tag stig_id: "UBTU-20-010244 " tag fix_id: "F-41478r654101_fix " tag cci: ["CCI-000172", "CCI-002884"] diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index fbd3d65..990c3f4 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -38,7 +38,7 @@ tag severity: "low " tag gtitle: "SRG-OS-000479-GPOS-00224 " tag gid: "V-238321 " - tag rid: "SV-238321r654138_rule" + tag rid: "SV-238321r853428_rule " tag stig_id: "UBTU-20-010300 " tag fix_id: "F-41490r654137_fix " tag cci: ["CCI-001851"] diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb index da6df5d..97c272e 100644 --- a/controls/SV-238336.rb +++ b/controls/SV-238336.rb @@ -15,34 +15,40 @@ To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement." - desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. - -Check that the \"mfetp\" package has been installed: - -# dpkg -l | grep mfetp - -If the \"mfetp\" package is not installed, this finding will remain as a CAT II. - -Check that the daemon is running: - -# /opt/McAfee/ens/tp/init/mfetpd-control.sh status - -If the daemon is not running, this finding will remain as a CAT II." - desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. - -Configure the Ubuntu operating system to use ENSLTP. - -Install the \"mfetp\" package: - -# sudo apt-get install mfetp" + desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. +However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and +running. + +Check that the \"mcafeetp\" package has been installed: + +# dpkg -l | grep mcafeetp + + +If the \"mcafeetp\" package is not installed, this finding will remain as a CAT II. + +Check that +the daemon is running: + +# /opt/McAfee/ens/tp/init/mfetpd-control.sh status + +If the +daemon is not running, this finding will remain as a CAT II." + desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity +level can be mitigated to a CAT III if the ENSLTP module is installed and running. + +Configure +the Ubuntu operating system to use ENSLTP. + +Install the \"mcafeetp\" package via the ePO +server." impact 0.3 ref 'DPMS Target Canonical Ubuntu 20.04 LTS' tag severity: "low " tag gtitle: "SRG-OS-000191-GPOS-00080 " tag gid: "V-238336 " - tag rid: "SV-238336r654183_rule" + tag rid: "SV-238336r858538_rule " tag stig_id: "UBTU-20-010415 " - tag fix_id: "F-41505r654182_fix" + tag fix_id: "F-41505r858537_fix " tag cci: ["CCI-001233"] tag nist: ["SI-2 (2)"] diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb index e56eb11..34afbc6 100644 --- a/controls/SV-238354.rb +++ b/controls/SV-238354.rb @@ -52,7 +52,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000297-GPOS-00115 " tag gid: "V-238354 " - tag rid: "SV-238354r654237_rule" + tag rid: "SV-238354r853429_rule " tag stig_id: "UBTU-20-010433 " tag fix_id: "F-41523r654236_fix " tag cci: ["CCI-002314"] diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb index cc3540c..a7f0071 100644 --- a/controls/SV-238355.rb +++ b/controls/SV-238355.rb @@ -60,7 +60,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000297-GPOS-00115 " tag gid: "V-238355 " - tag rid: "SV-238355r654240_rule" + tag rid: "SV-238355r853430_rule " tag stig_id: "UBTU-20-010434 " tag fix_id: "F-41524r654239_fix " tag cci: ["CCI-002314"] diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index 4ed0194..1395f85 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -77,7 +77,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000355-GPOS-00143 " tag gid: "V-238356 " - tag rid: "SV-238356r808492_rule" + tag rid: "SV-238356r853431_rule " tag stig_id: "UBTU-20-010435 " tag fix_id: "F-41525r808491_fix " tag cci: ["CCI-001891"] diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 156f7ea..2859c7d 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -60,7 +60,7 @@ tag severity: "low " tag gtitle: "SRG-OS-000356-GPOS-00144 " tag gid: "V-238357 " - tag rid: "SV-238357r654246_rule" + tag rid: "SV-238357r853432_rule " tag stig_id: "UBTU-20-010436 " tag fix_id: "F-41526r654245_fix " tag cci: ["CCI-002046"] diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb index c865b56..c689889 100644 --- a/controls/SV-238358.rb +++ b/controls/SV-238358.rb @@ -46,7 +46,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000363-GPOS-00150 " tag gid: "V-238358 " - tag rid: "SV-238358r654249_rule" + tag rid: "SV-238358r853433_rule " tag stig_id: "UBTU-20-010437 " tag fix_id: "F-41527r654248_fix " tag cci: ["CCI-001744"] diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index 4fbbf6d..dab9b5b 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -64,7 +64,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000366-GPOS-00153 " tag gid: "V-238359 " - tag rid: "SV-238359r654319_rule" + tag rid: "SV-238359r853434_rule " tag stig_id: "UBTU-20-010438 " tag fix_id: "F-41528r654251_fix " tag cci: ["CCI-001749"] diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb index 7c97638..3ad7806 100644 --- a/controls/SV-238360.rb +++ b/controls/SV-238360.rb @@ -78,7 +78,7 @@ tag gtitle: "SRG-OS-000368-GPOS-00154 " tag satisfies: ["SRG-OS-000368-GPOS-00154", "SRG-OS-000312-GPOS-00122", "SRG-OS-000312-GPOS-00123", "SRG-OS-000312-GPOS-00124", "SRG-OS-000324-GPOS-00125", "SRG-OS-000370-GPOS-00155"] tag gid: "V-238360 " - tag rid: "SV-238360r654255_rule" + tag rid: "SV-238360r853435_rule " tag stig_id: "UBTU-20-010439 " tag fix_id: "F-41529r654254_fix " tag cci: ["CCI-001764", "CCI-001774", "CCI-002165", "CCI-002235"] diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb index a11c0dd..91964a8 100644 --- a/controls/SV-238361.rb +++ b/controls/SV-238361.rb @@ -39,7 +39,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000380-GPOS-00165 " tag gid: "V-238361 " - tag rid: "SV-238361r654258_rule" + tag rid: "SV-238361r853436_rule " tag stig_id: "UBTU-20-010440 " tag fix_id: "F-41530r654257_fix " tag cci: ["CCI-002041"] diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 12195c3..a89abbd 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -33,7 +33,7 @@ tag severity: "low " tag gtitle: "SRG-OS-000383-GPOS-00166 " tag gid: "V-238362 " - tag rid: "SV-238362r654261_rule" + tag rid: "SV-238362r853437_rule " tag stig_id: "UBTU-20-010441 " tag fix_id: "F-41531r654260_fix " tag cci: ["CCI-002007"] diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 14cdc5a..433da59 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -35,7 +35,7 @@ tag gtitle: "SRG-OS-000396-GPOS-00176 " tag satisfies: ["SRG-OS-000396-GPOS-00176", "SRG-OS-000478-GPOS-00223"] tag gid: "V-238363 " - tag rid: "SV-238363r654320_rule" + tag rid: "SV-238363r853438_rule " tag stig_id: "UBTU-20-010442 " tag fix_id: "F-41532r654263_fix " tag cci: ["CCI-002450"] diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb index f7d5efa..018c12a 100644 --- a/controls/SV-238364.rb +++ b/controls/SV-238364.rb @@ -55,9 +55,9 @@ tag severity: "medium " tag gtitle: "SRG-OS-000403-GPOS-00182 " tag gid: "V-238364 " - tag rid: "SV-238364r832965_rule" + tag rid: "SV-238364r860824_rule " tag stig_id: "UBTU-20-010443 " - tag fix_id: "F-41533r832964_fix" + tag fix_id: "F-41533r860823_fix " tag cci: ["CCI-002470"] tag nist: ["SC-23 (5)"] diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb index 3a432c2..800103b 100644 --- a/controls/SV-238365.rb +++ b/controls/SV-238365.rb @@ -69,7 +69,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000404-GPOS-00183 " tag gid: "V-238365 " - tag rid: "SV-238365r654270_rule" + tag rid: "SV-238365r853442_rule " tag stig_id: "UBTU-20-010444 " tag fix_id: "F-41534r654269_fix " tag cci: ["CCI-002475"] diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb index 2d10d2d..a32709e 100644 --- a/controls/SV-238366.rb +++ b/controls/SV-238366.rb @@ -69,7 +69,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000405-GPOS-00184 " tag gid: "V-238366 " - tag rid: "SV-238366r654273_rule" + tag rid: "SV-238366r853443_rule " tag stig_id: "UBTU-20-010445 " tag fix_id: "F-41535r654272_fix " tag cci: ["CCI-002476"] diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb index ffac6ec..a738b7f 100644 --- a/controls/SV-238367.rb +++ b/controls/SV-238367.rb @@ -79,7 +79,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000420-GPOS-00186 " tag gid: "V-238367 " - tag rid: "SV-238367r654276_rule" + tag rid: "SV-238367r853444_rule " tag stig_id: "UBTU-20-010446 " tag fix_id: "F-41536r654275_fix " tag cci: ["CCI-002385"] diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 63474a6..0d06385 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -43,7 +43,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000433-GPOS-00192 " tag gid: "V-238368 " - tag rid: "SV-238368r654279_rule" + tag rid: "SV-238368r853445_rule " tag stig_id: "UBTU-20-010447 " tag fix_id: "F-41537r654278_fix " tag cci: ["CCI-002824"] diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb index fd66056..676c3df 100644 --- a/controls/SV-238369.rb +++ b/controls/SV-238369.rb @@ -57,7 +57,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000433-GPOS-00193 " tag gid: "V-238369 " - tag rid: "SV-238369r654282_rule" + tag rid: "SV-238369r853446_rule " tag stig_id: "UBTU-20-010448 " tag fix_id: "F-41538r654281_fix " tag cci: ["CCI-002824"] diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index 93d1a33..7420e73 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -37,7 +37,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000437-GPOS-00194 " tag gid: "V-238370 " - tag rid: "SV-238370r654285_rule" + tag rid: "SV-238370r853447_rule " tag stig_id: "UBTU-20-010449 " tag fix_id: "F-41539r654284_fix " tag cci: ["CCI-002617"] diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb index a817115..ecf93a2 100644 --- a/controls/SV-238371.rb +++ b/controls/SV-238371.rb @@ -46,7 +46,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000445-GPOS-00199 " tag gid: "V-238371 " - tag rid: "SV-238371r654288_rule" + tag rid: "SV-238371r853448_rule " tag stig_id: "UBTU-20-010450 " tag fix_id: "F-41540r654287_fix " tag cci: ["CCI-002696"] diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb index 623b681..be58bdf 100644 --- a/controls/SV-238372.rb +++ b/controls/SV-238372.rb @@ -44,7 +44,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000447-GPOS-00201 " tag gid: "V-238372 " - tag rid: "SV-238372r654318_rule" + tag rid: "SV-238372r853449_rule " tag stig_id: "UBTU-20-010451 " tag fix_id: "F-41541r654290_fix " tag cci: ["CCI-002702"] diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index be80860..a5adfe1 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -41,11 +41,11 @@ tag severity: "low " tag gtitle: "SRG-OS-000480-GPOS-00227 " tag gid: "V-238373 " - tag rid: "SV-238373r654294_rule" + tag rid: "SV-238373r858539_rule " tag stig_id: "UBTU-20-010453 " tag fix_id: "F-41542r654293_fix " - tag cci: ["CCI-000052", "CCI-000366"] - tag nist: ["AC-9", "CM-6 b"] + tag cci: ["CCI-000052"] + tag nist: ["AC-9"] describe command('grep pam_lastlog /etc/pam.d/login') do its('exit_status') { should eq 0 } diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index 9d67a5e..ea78593 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -46,7 +46,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000378-GPOS-00163 " tag gid: "V-251505 " - tag rid: "SV-251505r808512_rule" + tag rid: "SV-251505r853450_rule " tag stig_id: "UBTU-20-010461 " tag fix_id: "F-54894r808511_fix " tag cci: ["CCI-001958"] diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index 822d279..8aa1a7d 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -81,7 +81,7 @@ tag severity: "medium " tag gtitle: "SRG-OS-000481-GPOS-00481 " tag gid: "V-252704 " - tag rid: "SV-252704r819057_rule" + tag rid: "SV-252704r854182_rule " tag stig_id: "UBTU-20-010455 " tag fix_id: "F-56110r819056_fix " tag cci: ["CCI-002418"]