| contains 219 rules |
System Settings
[ref]groupContains rules that check correct system settings. |
| contains 184 rules |
Installing and Maintaining Software
[ref]groupThe following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates. |
| contains 31 rules |
System and Software Integrity
[ref]groupSystem and software integrity can be gained by installing antivirus, increasing
system encryption strength with FIPS, verifying installed software, enabling SELinux,
installing an Intrusion Prevention System, etc. However, installing or enabling integrity
checking tools cannot prevent intrusions, but they can detect that an intrusion
may have occurred. Requirements for integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based approaches such
as AIDE may induce considerable overhead in the presence of frequent software updates. |
| contains 2 rules |
Software Integrity Checking
[ref]groupBoth the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system. |
| contains 2 rules |
Verify Integrity with AIDE
[ref]groupAIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in /usr/share/doc/aide-VERSION. |
| contains 2 rules |
Install AIDE
[ref]ruleThe aide package can be installed with the following command:
$ sudo zypper install aide Rationale:The AIDE package must be installed if it is to be available for integrity checking. Identifiers:
CCE-83289-9 References:
1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, R76, R79, SLES-15-750150015, 1034, 1288, 1341, 1417, 11.5.2, SV-255922r958794_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
[[packages]]
name = "aide"
version = "*"
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83289-9
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_aide_installed
- name: Ensure aide is installed
ansible.builtin.package:
name: aide
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83289-9
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_aide_installed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
zypper install -y "aide"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Build and Test AIDE Database
[ref]ruleRun the following command to generate a new database:
$ sudo /usr/bin/aide --init
By default, the database will be written to the file
/var/lib/aide/aide.db.new.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/bin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
To initiate a manual check, run the following command:
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate.Warning:
In RHEL Image Mode (bootc) systems, the AIDE database must be regenerated after each system update.
Image Mode systems receive updates through new container images that may include modified files.
After applying system updates, run the following commands to regenerate the AIDE database:
$ sudo /usr/bin/aide --init
Then replace the existing database:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Failure to regenerate the AIDE database after updates will result in false positive alerts
for legitimate system changes introduced by the update process. For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. Identifiers:
CCE-85787-0 References:
1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, R76, R79, SLES-15-750150015, 11.5.2, SV-255922r958794_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85787-0
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Ensure Repositories Are Updated
ansible.builtin.command: zypper -q --no-remote ref
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85787-0
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- aide
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85787-0
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists
ansible.builtin.stat:
path: /var/lib/aide/aide.db.new
register: aide_database_stat
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85787-0
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Build and Test AIDE Database
ansible.builtin.command: /usr/bin/aide --init
changed_when: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- not (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists)
register: aide_database_init
tags:
- CCE-85787-0
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Stage AIDE Database
ansible.builtin.copy:
src: /var/lib/aide/aide.db.new
dest: /var/lib/aide/aide.db
backup: true
remote_src: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- aide_database_init is changed
- not ansible_check_mode
tags:
- CCE-85787-0
- CJIS-5.10.1.3
- DISA-STIG-SLES-15-010419
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
zypper -q --no-remote ref
zypper install -y "aide"
/usr/bin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disk Partitioning
[ref]groupTo ensure separation and protection of data, there
are top-level system directories which should be placed on their
own physical partition or logical volume. The installer's default
partitioning scheme creates separate logical volumes for
/, /boot, and swap.
- If starting with any of the default layouts, check the box to
\"Review and modify partitioning.\" This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making
/'s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later. - If creating a custom layout, create the partitions mentioned in
the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following sections.
If a system has already been installed, and the default
partitioning
scheme was used, it is possible but nontrivial to
modify it to create separate logical volumes for the directories
listed above. The Logical Volume Manager (LVM) makes this possible. |
| contains 9 rules |
Ensure /boot Located On Separate Partition
[ref]ruleIt is recommended that the /boot directory resides on a separate
partition. This makes it easier to apply restrictions e.g. through the
noexec mount option. Eventually, the /boot partition can
be configured not to be mounted automatically with the noauto mount
option. Rationale:The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. Identifiers:
CCE-91176-8 References:
R28 |
Ensure /home Located On Separate Partition
[ref]ruleIf user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. Rationale:Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. Identifiers:
CCE-85639-3 References:
12, 15, 8, APO13.01, DSS05.02, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040200, 1.1.17, R28, SLES-15-150150270, SV-235004r991589_rule |
Ensure /opt Located On Separate Partition
[ref]ruleIt is recommended that the /opt directory resides on a separate
partition. Rationale:The /opt partition contains additional software, usually installed
outside the packaging system. Putting this directory on a separate partition
makes it easier to apply restrictions e.g. through the nosuid mount
option. Identifiers:
CCE-91177-6 References:
R28 |
Ensure /srv Located On Separate Partition
[ref]ruleIf a file server (FTP, TFTP...) is hosted locally, create a separate partition
for /srv at installation time (or migrate it later using LVM). If
/srv will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. Rationale:Srv deserves files for local network file server such as FTP. Ensuring
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. Identifiers:
CCE-91178-4 References:
R28 |
Ensure /usr Located On Separate Partition
[ref]ruleIt is recommended that the /usr directory resides on a separate
partition. Rationale:The /usr partition contains system software, utilities and files.
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. Identifiers:
CCE-91180-0 References:
R28 |
Ensure /var Located On Separate Partition
[ref]ruleThe /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. Rationale:Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. Identifiers:
CCE-85640-1 References:
12, 15, 8, APO13.01, DSS05.02, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040210, 1.1.10, R28, SLES-15-150150315, SV-235005r991589_rule |
Ensure /var/log Located On Separate Partition
[ref]ruleSystem logs are stored in the /var/log directory.
Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM. Rationale:Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. Identifiers:
CCE-91181-8 References:
1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15, R28, SLES-15-150150420 |
Ensure /var/tmp Located On Separate Partition
[ref]ruleThe /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. Rationale:The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
Ensure tmp.mount Unit Is Enabled
[ref]ruleThe /tmp directory is a world-writable directory used
for temporary file storage. This directory is managed by systemd-tmpfiles.
Ensure that the tmp.mount systemd unit is enabled. Rationale:The /tmp directory is used as temporary storage by many programs.
Placing /tmp in a tmpfs filesystem enables the setting of more
restrictive mount options, which can help protect programs which use it.
The tmp.mount unit configures the tmpfs filesystem and ensures
the /tmp directory is wiped during reboot. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- enable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- systemd_tmp_mount_enabled
- name: Enable mount tmp
ansible.builtin.systemd:
name: tmp.mount
enabled: 'yes'
state: started
masked: 'false'
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- enable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- systemd_tmp_mount_enabled
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'tmp.mount'
if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
"$SYSTEMCTL_EXEC" start 'tmp.mount'
fi
"$SYSTEMCTL_EXEC" enable 'tmp.mount'
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Sudo, which stands for "su 'do'", provides the ability to delegate authority
to certain users, groups of users, or system administrators. When configured for system
users and/or groups, Sudo can allow a user or group to execute privileged commands
that normally only root is allowed to execute.
For more information on Sudo and addition Sudo configuration options, see
https://www.sudo.ws.
|
| contains 16 rules |
Install sudo Package
[ref]ruleThe sudo package can be installed with the following command:
$ sudo zypper install sudo Rationale:sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.
Remediation Puppet snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
[[packages]]
name = "sudo"
version = "*"
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91183-4
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sudo_installed
- name: Ensure sudo is installed
ansible.builtin.package:
name: sudo
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91183-4
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sudo_installed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
zypper install -y "sudo"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns /etc/sudoers.d Directory
[ref]rule To properly set the group owner of /etc/sudoers.d, run the command:
$ sudo chgrp root /etc/sudoers.d
Rationale:The ownership of the /etc/sudoers.d directory by the root group is important
because this directory hosts sudo configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the sudo configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92503-2
- configure_strategy
- directory_groupowner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- directory_groupowner_etc_sudoersd_newgroup is undefined
tags:
- CCE-92503-2
- configure_strategy
- directory_groupowner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_groupowner_etc_sudoersd_newgroup variable if root found
ansible.builtin.set_fact:
directory_groupowner_etc_sudoersd_newgroup: root
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92503-2
- configure_strategy
- directory_groupowner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/sudoers.d/
ansible.builtin.file:
path: /etc/sudoers.d/
follow: false
state: directory
group: '{{ directory_groupowner_etc_sudoersd_newgroup }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92503-2
- configure_strategy
- directory_groupowner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
find -P /etc/sudoers.d/ -maxdepth 0 -type d ! -group root -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/sudoers.d Directory
[ref]rule To properly set the owner of /etc/sudoers.d, run the command:
$ sudo chown root /etc/sudoers.d
Rationale:The ownership of the /etc/sudoers.d directory by the root user is important
because this directory hosts sudo configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the sudo configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92512-3
- configure_strategy
- directory_owner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_owner_etc_sudoersd_newown variable if represented by uid
ansible.builtin.set_fact:
directory_owner_etc_sudoersd_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92512-3
- configure_strategy
- directory_owner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/sudoers.d/
ansible.builtin.file:
path: /etc/sudoers.d/
follow: false
state: directory
owner: '{{ directory_owner_etc_sudoersd_newown }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92512-3
- configure_strategy
- directory_owner_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/sudoers.d/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/sudoers.d Directory
[ref]rule To properly set the permissions of /etc/sudoers.d, run the command: $ sudo chmod 0750 /etc/sudoers.d Rationale:Setting correct permissions on the /etc/sudoers.d directory is important
because this directory hosts sudo configuration. Protection of this
directory is critical for system security. Restricting the permissions
ensures exclusive control of the sudo configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92525-5
- configure_strategy
- directory_permissions_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/sudoers.d/ file(s)
ansible.builtin.command: 'find -P /etc/sudoers.d/ -maxdepth 0 -perm /u+s,g+ws,o+xwrt -type
d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92525-5
- configure_strategy
- directory_permissions_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/sudoers.d/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-ws,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92525-5
- configure_strategy
- directory_permissions_etc_sudoersd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
find -H /etc/sudoers.d/ -maxdepth 0 -perm /u+s,g+ws,o+xwrt -type d -exec chmod u-s,g-ws,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns /etc/sudoers File
[ref]rule To properly set the group owner of /etc/sudoers, run the command:
$ sudo chgrp root /etc/sudoers
Rationale:The ownership of the /etc/sudoers file by the root group is important
because this file hosts sudo configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the sudo configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_groupowner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_groupowner_etc_sudoers_newgroup is undefined
tags:
- configure_strategy
- file_groupowner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_sudoers_newgroup variable if root found
ansible.builtin.set_fact:
file_groupowner_etc_sudoers_newgroup: root
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ansible_facts.getent_group["root"] is defined
tags:
- configure_strategy
- file_groupowner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sudoers
ansible.builtin.stat:
path: /etc/sudoers
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupowner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/sudoers
ansible.builtin.file:
path: /etc/sudoers
follow: false
group: '{{ file_groupowner_etc_sudoers_newgroup }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_groupowner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/sudoers" | grep -E -w -q "root"; then
chgrp --no-dereference "$newgroup" /etc/sudoers
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/sudoers File
[ref]rule To properly set the owner of /etc/sudoers, run the command:
$ sudo chown root /etc/sudoers
Rationale:The ownership of the /etc/sudoers file by the root user is important
because this file hosts sudo configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the sudo configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_owner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_sudoers_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_sudoers_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sudoers
ansible.builtin.stat:
path: /etc/sudoers
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/sudoers
ansible.builtin.file:
path: /etc/sudoers
follow: false
owner: '{{ file_owner_etc_sudoers_newown }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_owner_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/sudoers" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/sudoers
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/sudoers File
[ref]rule To properly set the permissions of /etc/sudoers, run the command: $ sudo chmod 0440 /etc/sudoers Rationale:Setting correct permissions on the /etc/sudoers file is important
because this file hosts sudo configuration. Protection of this
file is critical for system security. Restricting the permissions
ensures exclusive control of the sudo configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_permissions_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sudoers
ansible.builtin.stat:
path: /etc/sudoers
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_permissions_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xws,g-xws,o-xwrt on /etc/sudoers
ansible.builtin.file:
path: /etc/sudoers
mode: u-xws,g-xws,o-xwrt
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_permissions_etc_sudoers
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
chmod u-xws,g-xws,o-xwrt /etc/sudoers
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref]ruleThe sudo env_reset tag, when specified, will run the command in a minimal environment,
containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables.
This should be enabled by making sure that the env_reset tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. Rationale:Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentally, preventing leak of potentially sensitive information. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91184-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_env_reset
- name: Ensure env_reset is enabled in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\benv_reset\b.*$
line: Defaults env_reset
validate: /usr/sbin/visudo -cf %s
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91184-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_env_reset
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\benv_reset.*$' /etc/sudoers; then
# sudoers file doesn't define Option env_reset
echo "Defaults env_reset" >> /etc/sudoers
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
[ref]ruleThe sudo ignore_dot tag, when specified, will ignore the current directory
in the PATH environment variable.
This should be enabled by making sure that the ignore_dot tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. Rationale:Ignoring the commands in the user's current directory prevents an attacker from executing commands
downloaded locally. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91185-9
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_ignore_dot
- name: Ensure ignore_dot is enabled in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
line: Defaults ignore_dot
validate: /usr/sbin/visudo -cf %s
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91185-9
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_ignore_dot
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\bignore_dot.*$' /etc/sudoers; then
# sudoers file doesn't define Option ignore_dot
echo "Defaults ignore_dot" >> /etc/sudoers
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref]ruleThe sudo NOEXEC tag, when specified, prevents user executed
commands from executing other commands, like a shell for example.
This should be enabled by making sure that the NOEXEC tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. Rationale:Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91186-7
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sudo_add_noexec
- name: Ensure noexec is enabled in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\bnoexec\b.*$
line: Defaults noexec
validate: /usr/sbin/visudo -cf %s
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91186-7
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sudo_add_noexec
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\bnoexec.*$' /etc/sudoers; then
# sudoers file doesn't define Option noexec
echo "Defaults noexec" >> /etc/sudoers
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
[ref]ruleThe sudo requiretty tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the requiretty tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. Rationale:Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91188-3
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_requiretty
- name: Ensure requiretty is enabled in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\brequiretty\b.*$
line: Defaults requiretty
validate: /usr/sbin/visudo -cf %s
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91188-3
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_requiretty
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\brequiretty.*$' /etc/sudoers; then
# sudoers file doesn't define Option requiretty
echo "Defaults requiretty" >> /etc/sudoers
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure sudo umask is appropriate - sudo umask
[ref]ruleThe sudo umask tag, when specified, will be added the to the user's umask in the
command environment.
The umask should be configured by making sure that the umask=0077 tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. Rationale:The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91189-1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_umask
- name: XCCDF Value var_sudo_umask # promote to variable
set_fact:
var_sudo_umask: !!str 0077
tags:
- always
- name: Ensure umask is enabled with the appropriate value in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults\s(.*)\bumask=[-]?.+\b(.*)$
line: Defaults \1umask={{ var_sudo_umask }}\2
validate: /usr/sbin/visudo -cf %s
backrefs: true
register: edit_sudoers_umask_option
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91189-1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_umask
- name: Enable umask option with appropriate value in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
line: Defaults umask={{ var_sudo_umask }}
validate: /usr/sbin/visudo -cf %s
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- edit_sudoers_umask_option is defined and not edit_sudoers_umask_option.changed
tags:
- CCE-91189-1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_umask
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
var_sudo_umask='0077'
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\bumask=\w+\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option umask
echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers
else
# sudoers file defines Option umask, remediate if appropriate value is not set
if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then
escaped_variable=${var_sudo_umask//$'/'/$'\/'}
sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
fi
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref]ruleThe sudo use_pty tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the use_pty tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. Rationale:Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91190-9
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_use_pty
- name: Ensure use_pty is enabled in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\buse_pty\b.*$
line: Defaults use_pty
validate: /usr/sbin/visudo -cf %s
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"sudo" in ansible_facts.packages'
tags:
- CCE-91190-9
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_use_pty
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q sudo; }; then
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\buse_pty.*$' /etc/sudoers; then
# sudoers file doesn't define Option use_pty
echo "Defaults use_pty" >> /etc/sudoers
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Explicit arguments in sudo specifications
[ref]ruleAll commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification. Warning:
This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments. Warning:
The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, root ALL=(ALL) echo 1\,2 allows root to execute echo 1,2, but the check would interpret it as two commands echo 1\ and 2. Any argument can modify quite significantly the behavior of a program, whether regarding the
realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
level of its specification.
For example, on some systems, the kernel messages are only accessible by root.
If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
in order to prevent the user from flushing the buffer through the -c option:
user ALL = dmesg ""
|
Don't define allowed commands in sudoers by means of exclusion
[ref]rulePolicies applied by sudo through the sudoers file should not involve negation.
Each user specification in the sudoers file contains a comma-delimited list of command specifications.
The definition can make use glob patterns, as well as of negations.
Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs. Warning:
This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue. Specifying access right using negation is inefficient and can be easily circumvented.
For example, it is expected that a specification like
# To avoid absolutely , this rule can be easily circumvented!
user ALL = ALL ,!/ bin/sh
prevents the execution of the shell
but that’s not the case: just copy the binary /bin/sh to a different name to make it executable
again through the rule keyword ALL. |
Don't target root user in the sudoers file
[ref]ruleThe targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).
User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used. Warning:
This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. It is common that the command to be executed does not require superuser rights (editing a file
whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit
any attempt of privilege escalation through a command, it is better to apply normal user rights. |
Updating Software
[ref]groupThe zypper command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the System menu, in the Administration submenu,
called Software Update.
SUSE Linux Enterprise 15 systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Consistently using
zypper or the graphical Software Update for all software installation
allows for insight into the current inventory of installed software on the system.
|
| contains 4 rules |
Ensure gpgcheck Enabled In Main zypper Configuration
[ref]ruleThe gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure zypper to check package signatures before installing
them, ensure the following line appears in /etc/zypp/zypp.conf in
the [main] section:
gpgcheck=1 Rationale:Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). Identifiers:
CCE-83290-7 References:
11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SLES-15-010430, 1.2.3, R59, SLES-15-150300030, 1493, 6.3.3, 6.3, SV-234852r1009613_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83290-7
- CJIS-5.10.4.1
- DISA-STIG-SLES-15-010430
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Ensure GPG check is globally activated
community.general.ini_file:
dest: /etc/zypp/zypp.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when: '"zypper" in ansible_facts.packages'
tags:
- CCE-83290-7
- CJIS-5.10.4.1
- DISA-STIG-SLES-15-010430
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
# Remediation is applicable only in certain platforms
if rpm --quiet -q zypper; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/zypp/zypp.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/zypp/zypp.conf"
else
if [[ -s "/etc/zypp/zypp.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/zypp/zypp.conf" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/zypp/zypp.conf"
fi
cce="CCE-83290-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/zypp/zypp.conf" >> "/etc/zypp/zypp.conf"
printf '%s\n' "$formatted_output" >> "/etc/zypp/zypp.conf"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure gpgcheck Enabled for Local Packages
[ref]rulezypper should be configured to verify the signature(s) of local packages
prior to installation. To configure zypper to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/zypp/zypp.conf.
Rationale:Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization. Identifiers:
CCE-91167-7 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, R59, 1493
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | unknown |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91167-7
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- ensure_gpgcheck_local_packages
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Ensure GPG check Enabled for Local Packages (zypper)
block:
- name: Check stats of zypper
ansible.builtin.stat:
path: /etc/zypp/zypp.conf
register: pkg
- name: Check if config file of zypper is a symlink
ansible.builtin.set_fact:
pkg_config_file_symlink: '{{ pkg.stat.lnk_target if pkg.stat.lnk_target is match("^/.*")
else "/etc/zypp/zypp.conf" | dirname ~ "/" ~ pkg.stat.lnk_target }}'
when: pkg.stat.lnk_target is defined
- name: Ensure GPG check Enabled for Local Packages (zypper)
community.general.ini_file:
dest: '{{ pkg_config_file_symlink | default("/etc/zypp/zypp.conf") }}'
section: main
option: localpkg_gpgcheck
value: 1
no_extra_spaces: true
create: true
when: '"zypper" in ansible_facts.packages'
tags:
- CCE-91167-7
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- ensure_gpgcheck_local_packages
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
# Remediation is applicable only in certain platforms
if rpm --quiet -q zypper; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/zypp/zypp.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/zypp/zypp.conf"
else
if [[ -s "/etc/zypp/zypp.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/zypp/zypp.conf" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/zypp/zypp.conf"
fi
cce="CCE-91167-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/zypp/zypp.conf" >> "/etc/zypp/zypp.conf"
printf '%s\n' "$formatted_output" >> "/etc/zypp/zypp.conf"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure gpgcheck Enabled for All zypper Package Repositories
[ref]ruleTo ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/zypp/repos.d of the form:
gpgcheck=0 Rationale:Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." Identifiers:
CCE-85797-9 References:
11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, 1.2.3, R59, SLES-15-150300030, 1493, 6.3.3, 6.3
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Grep for zypper repo section names
ansible.builtin.shell: |
set -o pipefail
grep -HEr '^\[.+\]' -r /etc/zypp/repos.d/
register: repo_grep_results
failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
tags:
- CCE-85797-9
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Set gpgcheck=1 for each zypper repo
community.general.ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' )
if repo_grep_results is not skipped else [] }}'
when: repo_grep_results is not skipped
tags:
- CCE-85797-9
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
|
Ensure Software Patches Installed
[ref]rule
If the system is configured for online updates, invoking the following command will list available
security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates.Warning:
The OVAL feed of SUSE Linux Enterprise 15 is not a XML file, which may not be understood by all scanners. Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. Identifiers:
CCE-83261-8 References:
18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SLES-15-010010, 1.9, R61, SLES-15-150300075, 1409, 6.3.3, 6.3, SV-234802r991589_rule
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | true |
|---|
| Strategy: | patch |
|---|
- name: Security patches are up to date
ansible.builtin.package:
name: '*'
state: latest
tags:
- CCE-83261-8
- CJIS-5.10.4.1
- DISA-STIG-SLES-15-010010
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- high_disruption
- low_complexity
- medium_severity
- patch_strategy
- reboot_required
- security_patches_up_to_date
- skip_ansible_lint
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | true |
|---|
| Strategy: | patch |
|---|
zypper patch -g security -y
|
Account and Access Control
[ref]groupIn traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under
SUSE Linux Enterprise 15. |
| contains 25 rules |
Protect Accounts by Configuring PAM
[ref]groupPAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
PAM looks in the directory /etc/pam.d for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file /etc/pam.d/login
to determine what actions should be taken.
One very important file in /etc/pam.d is
/etc/pam.d/system-auth. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service. Warning:
Be careful when making changes to PAM's configuration files.
The syntax for these files is complex, and modifications can
have unexpected consequences. The default configurations shipped
with applications should be sufficient for most users. |
| contains 12 rules |
Set Lockouts for Failed Password Attempts
[ref]groupThe pam_faillock PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
/usr/share/doc/pam-VERSION/txts/README.pam_faillock.
Warning:
Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks. |
| contains 4 rules |
Limit Password Reuse
[ref]ruleDo not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the
pam_pwhistory PAM modules.
In the file /etc/pam.d/common-password, make sure the parameters
remember and use_authtok are present, and that the value
for the remember parameter is 5 or greater. For example:
password requisite pam_pwhistory.so ...existing_options... remember=5 use_authtok
The profile requirement is 5 passwords.Rationale:Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_remember # promote to variable
set_fact:
var_password_pam_remember: !!str 5
tags:
- always
- name: Set control_flag fact
ansible.builtin.set_fact:
control_flag: requisite
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_pwhistory.so' module is configured in '/etc/pam.d/common-password'
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_pwhistory.so' /etc/pam.d/common-password || true
register: check_pam_module_result
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_pwhistory.so' module in '/etc/pam.d/common-password'
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_pwhistory.so
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- check_pam_module_result.stdout is defined and '"pam_pwhistory.so" not in check_pam_module_result.stdout'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_pwhistory.so' module has conforming control flag
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_pwhistory.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- control_flag|length
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_pwhistory.so" module has argument "remember={{ var_password_pam_remember
}}"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so(?:\s+\S+)*\s+remember=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_remember }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "remember" argument in "pam_pwhistory.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_pwhistory.so.*\s+remember(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "remember" argument to "pam_pwhistory.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> remember={{ var_password_pam_remember }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- check_pam_module_argument_result is not skipped and '"remember" not in check_pam_module_argument_result.stdout'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set argument_value fact
ansible.builtin.set_fact:
argument_value: ''
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_pwhistory.so" module has argument "use_authtok"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so(?:\s+\S+)*\s+use_authtok=)(?!)\S*((\s+\S+)*\s*\\*\s*)$
line: \g<1>\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- argument_value|length
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "use_authtok" argument in "pam_pwhistory.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_pwhistory.so.*\s+use_authtok(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "use_authtok" argument to "pam_pwhistory.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> use_authtok\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- check_pam_module_argument_result is not skipped and '"use_authtok" not in check_pam_module_argument_result.stdout'
tags:
- CCE-91398-8
- accounts_password_pam_pwhistory_remember
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q pam; }; then
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
declare -a DEL_ARGS=()
var_password_pam_remember='5'
VALUES+=("$var_password_pam_remember")
VALUE_NAMES+=("remember")
ARGS+=("")
NEW_ARGS+=("")
VALUES+=("")
VALUE_NAMES+=("")
ARGS+=("use_authtok")
NEW_ARGS+=("use_authtok")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwhistory.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwhistory.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwhistory.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_pwhistory.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwhistory.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwhistory.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_pwhistory.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_pwhistory.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_pwhistory.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
if [ -n "${DEL_ARGS[$idx]}" ]; then
sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
fi
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Deny For Failed Password Attempts
[ref]ruleThe SUSE Linux Enterprise 15 operating system must lock an account after - at most - 5
consecutive invalid access attempts. Rationale:By limiting the number of failed logon attempts, the risk of unauthorized
system access via user password guessing, otherwise known as brute-force
attacks, is reduced. Limits are imposed by locking the account.
To configure the operating system to lock an account after three
unsuccessful consecutive access attempts using pam_tally2.so,
modify the content of both /etc/pam.d/login and
/etc/pam.d/common-account as follows:
Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: XCCDF Value var_password_pam_tally2 # promote to variable
set_fact:
var_password_pam_tally2: !!str 5
tags:
- always
- name: Set Deny For Failed Password Attempts - Define a fact for control already
filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
in /etc/pam.d/login
block:
- name: Set Deny For Failed Password Attempts - Check if required PAM module line
is present in /etc/pam.d/login with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Deny For Failed Password Attempts - Ensure the correct control for the
required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
insertafter: (fail)
line: auth {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Define a fact for control already
filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\sonerr\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the "onerr" PAM option for
"pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1 onerr=fail
state: present
register: result_pam_accounts_passwords_pam_tally2_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_option_present.found is defined
- result_pam_module_accounts_passwords_pam_tally2_option_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the required value for "onerr"
PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s+.*)(onerr)=[0-9a-zA-Z]*\s*(.*)
line: \1\2=fail \3
register: result_pam_accounts_passwords_pam_tally2_edit
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_option_present.found > 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Define a fact for control already
filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
in /etc/pam.d/login
block:
- name: Set Deny For Failed Password Attempts - Check if required PAM module line
is present in /etc/pam.d/login with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Deny For Failed Password Attempts - Ensure the correct control for the
required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Define a fact for control already
filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\sdeny\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the "deny" PAM option for "pam_tally2.so"
is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1 deny={{ var_password_pam_tally2 }}
state: present
register: result_pam_accounts_passwords_pam_tally2_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_option_present.found is defined
- result_pam_module_accounts_passwords_pam_tally2_option_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the required value for "deny"
PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s+.*)(deny)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_tally2 }} \3
register: result_pam_accounts_passwords_pam_tally2_edit
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_option_present.found > 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Define a fact for control already
filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
in /etc/pam.d/common-account
block:
- name: Set Deny For Failed Password Attempts - Check if required PAM module line
is present in /etc/pam.d/common-account with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Deny For Failed Password Attempts - Ensure the correct control for the
required PAM module line in /etc/pam.d/common-account
ansible.builtin.replace:
dest: /etc/pam.d/common-account
regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-account
line: account {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Define a fact for control already
filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the "" PAM option for "pam_tally2.so"
is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
backrefs: true
regexp: ^(\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1
state: present
register: result_pam_accounts_passwords_pam_tally2_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_option_present.found is defined
- result_pam_module_accounts_passwords_pam_tally2_option_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { ( ( grep -qP "^ID=[\"']?sles[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="15.7"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; } && rpm --quiet -q pam ) ); }; then
var_password_pam_tally2='5'
# Use a non-number regexp to force update of the value of the deny option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/login"
else
LAST_MATCH_LINE=$(grep -nP "(fail)" "/etc/pam.d/login" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE" a auth required pam_tally2.so" "/etc/pam.d/login"
else
echo "auth required pam_tally2.so" >> "/etc/pam.d/login"
fi
fi
fi
# Check the option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*\sonerr\b" "/etc/pam.d/login"; then
sed -i -E --follow-symlinks "/\s*auth\s+required\s+pam_tally2.so.*/ s/$/ onerr=fail/" "/etc/pam.d/login"
else
sed -i -E --follow-symlinks "s/(\s*auth\s+required\s+pam_tally2.so\s+.*)(onerr=)[[:alnum:]]*\s*(.*)/\1\2fail \3/" "/etc/pam.d/login"
fi
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/login"
else
echo "auth required pam_tally2.so" >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*\sdeny\b" "/etc/pam.d/login"; then
sed -i -E --follow-symlinks "/\s*auth\s+required\s+pam_tally2.so.*/ s/$/ deny=${var_password_pam_tally2}/" "/etc/pam.d/login"
else
sed -i -E --follow-symlinks "s/(\s*auth\s+required\s+pam_tally2.so\s+.*)(deny=)[[:alnum:]]*\s*(.*)/\1\2${var_password_pam_tally2} \3/" "/etc/pam.d/login"
fi
if ! grep -qP "^\s*account\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/common-account"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*account\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/common-account"
else
echo "account required pam_tally2.so" >> "/etc/pam.d/common-account"
fi
fi
# Check the option
if ! grep -qP "^\s*account\s+required\s+pam_tally2.so\s*.*\s\b" "/etc/pam.d/common-account"; then
sed -i -E --follow-symlinks "/\s*account\s+required\s+pam_tally2.so.*/ s/$/ /" "/etc/pam.d/common-account"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure the root Account lock for Failed Password Attempts via pam_tally2
[ref]ruleThis rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_tally2.so. Rationale:By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. Identifiers:
CCE-91281-6 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.3.2, R31, 0421, 0422, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_tally2 # promote to variable
set_fact:
var_password_pam_tally2: !!str 5
tags:
- always
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if expected PAM module line is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Include or update the PAM module line in /etc/pam.d/login
block:
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if required PAM module line is present in /etc/pam.d/login with different
control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the correct control for the required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the required PAM module line is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if the required PAM module option is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\sdeny\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the "deny" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1 deny={{ var_password_pam_tally2 }}
state: present
register: result_pam_accounts_passwords_pam_tally2_deny_root_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
is defined
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
== 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the required value for "deny" PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s+.*)(deny)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_tally2 }} \3
register: result_pam_accounts_passwords_pam_tally2_deny_root_edit
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
> 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if expected PAM module line is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Include or update the PAM module line in /etc/pam.d/login
block:
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if required PAM module line is present in /etc/pam.d/login with different
control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the correct control for the required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the required PAM module line is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if the required PAM module option is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\seven_deny_root\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the "even_deny_root" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1 even_deny_root
state: present
register: result_pam_accounts_passwords_pam_tally2_deny_root_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
is defined
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
== 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if expected PAM module line is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Include or update the PAM module line in /etc/pam.d/common-account
block:
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if required PAM module line is present in /etc/pam.d/common-account
with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the correct control for the required PAM module line in /etc/pam.d/common-account
ansible.builtin.replace:
dest: /etc/pam.d/common-account
regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the required PAM module line is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-account
line: account {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if the required PAM module option is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the "" PAM option for "pam_tally2.so" is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
backrefs: true
regexp: ^(\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1
state: present
register: result_pam_accounts_passwords_pam_tally2_deny_root_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
is defined
- result_pam_module_accounts_passwords_pam_tally2_deny_root_option_present.found
== 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { ( ( grep -qP "^ID=[\"']?sles[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="15.7"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; } && rpm --quiet -q pam ) ); }; then
var_password_pam_tally2='5'
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/login"
else
echo "auth required pam_tally2.so" >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*\sdeny\b" "/etc/pam.d/login"; then
sed -i -E --follow-symlinks "/\s*auth\s+required\s+pam_tally2.so.*/ s/$/ deny=${var_password_pam_tally2}/" "/etc/pam.d/login"
else
sed -i -E --follow-symlinks "s/(\s*auth\s+required\s+pam_tally2.so\s+.*)(deny=)[[:alnum:]]*\s*(.*)/\1\2${var_password_pam_tally2} \3/" "/etc/pam.d/login"
fi
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/login"
else
echo "auth required pam_tally2.so" >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*\seven_deny_root\b" "/etc/pam.d/login"; then
sed -i -E --follow-symlinks "/\s*auth\s+required\s+pam_tally2.so.*/ s/$/ even_deny_root/" "/etc/pam.d/login"
fi
if ! grep -qP "^\s*account\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/common-account"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*account\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/common-account"
else
echo "account required pam_tally2.so" >> "/etc/pam.d/common-account"
fi
fi
# Check the option
if ! grep -qP "^\s*account\s+required\s+pam_tally2.so\s*.*\s\b" "/etc/pam.d/common-account"; then
sed -i -E --follow-symlinks "/\s*account\s+required\s+pam_tally2.so.*/ s/$/ /" "/etc/pam.d/common-account"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Lockout Time for Failed Password Attempts using pam_tally2
[ref]ruleThis rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_tally2.so. Rationale:By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. Identifiers:
CCE-91282-4 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.3.2, R31, 0421, 0422, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 8.3.4, 8.3
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_tally2_unlock_time # promote to variable
set_fact:
var_accounts_passwords_pam_tally2_unlock_time: !!str 1800
tags:
- always
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
expected PAM module line is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Include or
update the PAM module line in /etc/pam.d/login
block:
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
required PAM module line is present in /etc/pam.d/login with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the correct control for the required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the required PAM module line is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
the required PAM module option is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\sunlock_time\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure the
"unlock_time" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1 unlock_time={{ var_accounts_passwords_pam_tally2_unlock_time }}
state: present
register: result_pam_accounts_passwords_pam_tally2_unlock_time_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present.found
is defined
- result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present.found
== 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure the
required value for "unlock_time" PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s+.*)(unlock_time)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_accounts_passwords_pam_tally2_unlock_time }} \3
register: result_pam_accounts_passwords_pam_tally2_unlock_time_edit
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present.found
> 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
expected PAM module line is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Include or
update the PAM module line in /etc/pam.d/common-account
block:
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
required PAM module line is present in /etc/pam.d/common-account with different
control
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the correct control for the required PAM module line in /etc/pam.d/common-account
ansible.builtin.replace:
dest: /etc/pam.d/common-account
regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the required PAM module line is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-account
line: account {{ pam_module_control }} pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
the required PAM module option is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure the
"" PAM option for "pam_tally2.so" is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
backrefs: true
regexp: ^(\s*account\s+{{ pam_module_control | regex_escape() }}\s+pam_tally2.so.*)
line: \1
state: present
register: result_pam_accounts_passwords_pam_tally2_unlock_time_add
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'SLES' and ansible_distribution_version is version('15.7',
'<') and "pam" in ansible_facts.packages )
- result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present.found
is defined
- result_pam_module_accounts_passwords_pam_tally2_unlock_time_option_present.found
== 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { ( ( grep -qP "^ID=[\"']?sles[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="15.7"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; } && rpm --quiet -q pam ) ); }; then
var_accounts_passwords_pam_tally2_unlock_time='1800'
# Use a non-number regexp to force update of the value of the deny option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/login"
else
echo "auth required pam_tally2.so" >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP "^\s*auth\s+required\s+pam_tally2.so\s*.*\sunlock_time\b" "/etc/pam.d/login"; then
sed -i -E --follow-symlinks "/\s*auth\s+required\s+pam_tally2.so.*/ s/$/ unlock_time=${var_accounts_passwords_pam_tally2_unlock_time}/" "/etc/pam.d/login"
else
sed -i -E --follow-symlinks "s/(\s*auth\s+required\s+pam_tally2.so\s+.*)(unlock_time=)[[:alnum:]]*\s*(.*)/\1\2${var_accounts_passwords_pam_tally2_unlock_time} \3/" "/etc/pam.d/login"
fi
if ! grep -qP "^\s*account\s+required\s+pam_tally2.so\s*.*" "/etc/pam.d/common-account"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*account\s+).*(\bpam_tally2.so.*)/\1required \2/" "/etc/pam.d/common-account"
else
echo "account required pam_tally2.so" >> "/etc/pam.d/common-account"
fi
fi
# Check the option
if ! grep -qP "^\s*account\s+required\s+pam_tally2.so\s*.*\s\b" "/etc/pam.d/common-account"; then
sed -i -E --follow-symlinks "/\s*account\s+required\s+pam_tally2.so.*/ s/$/ /" "/etc/pam.d/common-account"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Quality Requirements
[ref]groupThe default pam_pwquality PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
pam_pwquality module is the preferred way of configuring
password requirements.
The man pages pam_pwquality(8)
provide information on the capabilities and configuration of
each. |
| contains 5 rules |
Set Password Quality Requirements, if using
pam_cracklib
[ref]groupThe pam_cracklib PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_cracklib to require at least one uppercase
character, lowercase character, digit, and other (special)
character, locate the following line in /etc/pam.d/system-auth:
password requisite pam_cracklib.so try_first_pass retry=3
and then alter it to read:
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.Warning:
Note that the password quality requirements are not enforced for the
root account for some reason. |
| contains 5 rules |
Set Password Strength Minimum Digit Characters
[ref]ruleThe pam_cracklib module's dcredit parameter controls requirements
for usage of digits in a password. When set to a negative number, any
password will be required to contain that many digits. When set to a
positive number, pam_cracklib will grant +1 additional length credit for
each digit. Add dcredit=-1 after pam_cracklib.so to require use of
a digit in passwords. Rationale:Requiring digits makes password guessing attacks more difficult by ensuring
a larger search space. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_dcredit # promote to variable
set_fact:
var_password_pam_dcredit: !!str -1
tags:
- always
- name: Set control_flag fact
ansible.builtin.set_fact:
control_flag: requisite
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_result.stdout is defined and '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- control_flag|length
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "dcredit={{ var_password_pam_dcredit
}}"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+dcredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_dcredit }}\g<2>
backrefs: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "dcredit" argument in "pam_cracklib.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+dcredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "dcredit" argument to "pam_cracklib.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> dcredit={{ var_password_pam_dcredit }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_argument_result is not skipped and '"dcredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
declare -a DEL_ARGS=()
var_password_pam_dcredit='-1'
VALUES+=("$var_password_pam_dcredit")
VALUE_NAMES+=("dcredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
if [ -n "${DEL_ARGS[$idx]}" ]; then
sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
fi
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Strength Minimum Lowercase Characters
[ref]ruleThe pam_cracklib module's lcredit= parameter controls requirements
for usage of lowercase letters in a password. When set to a negative
number, any password will be required to contain that many lowercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a
lowercase character in passwords. Rationale:Requiring a minimum number of lowercase characters makes password guessing
attacks more difficult by ensuring a larger search space. Identifiers:
CCE-85676-5 References:
IA-5(1)(a), IA-5(1).1(v), Req-8.2.3, SRG-OS-000070-GPOS-00038, SLES-15-020140, 5.3.1, R31, SLES-15-600450120, 8.3.6, 8.3, SV-234883r1009622_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_lcredit # promote to variable
set_fact:
var_password_pam_lcredit: !!str -1
tags:
- always
- name: Set control_flag fact
ansible.builtin.set_fact:
control_flag: requisite
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_result.stdout is defined and '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- control_flag|length
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "lcredit={{ var_password_pam_lcredit
}}"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+lcredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_lcredit }}\g<2>
backrefs: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "lcredit" argument in "pam_cracklib.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+lcredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "lcredit" argument to "pam_cracklib.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> lcredit={{ var_password_pam_lcredit }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_argument_result is not skipped and '"lcredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
declare -a DEL_ARGS=()
var_password_pam_lcredit='-1'
VALUES+=("$var_password_pam_lcredit")
VALUE_NAMES+=("lcredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
if [ -n "${DEL_ARGS[$idx]}" ]; then
sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
fi
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Minimum Length
[ref]ruleThe pam_cracklib module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=15
to set minimum password length requirements. Rationale:Password length is one factor of several that helps to determine
strength and how long it takes to crack a password. Use of more characters in
a password helps to exponentially increase the time and/or resources
required to compromise the password. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_minlen # promote to variable
set_fact:
var_password_pam_minlen: !!str 15
tags:
- always
- name: Set control_flag fact
ansible.builtin.set_fact:
control_flag: requisite
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_result.stdout is defined and '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- control_flag|length
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "minlen={{ var_password_pam_minlen
}}"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+minlen=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_minlen }}\g<2>
backrefs: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "minlen" argument in "pam_cracklib.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+minlen(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "minlen" argument to "pam_cracklib.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> minlen={{ var_password_pam_minlen }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_argument_result is not skipped and '"minlen" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
declare -a DEL_ARGS=()
var_password_pam_minlen='15'
VALUES+=("$var_password_pam_minlen")
VALUE_NAMES+=("minlen")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
if [ -n "${DEL_ARGS[$idx]}" ]; then
sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
fi
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Strength Minimum Special Characters
[ref]ruleThe pam_cracklib module's ocredit= parameter controls requirements
for usage of special (or ``other'') characters in a password. When set to a
negative number, any password will be required to contain that many special
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each special character.
Make sure the ocredit parameter for the pam_cracklib module is
set to less than or equal to -1. For example, ocredit=-1. Rationale:Requiring a minimum number of special characters makes password guessing
attacks more difficult by ensuring a larger search space. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_ocredit # promote to variable
set_fact:
var_password_pam_ocredit: !!str -1
tags:
- always
- name: Set control_flag fact
ansible.builtin.set_fact:
control_flag: requisite
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_result.stdout is defined and '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- control_flag|length
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "ocredit={{ var_password_pam_ocredit
}}"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+ocredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_ocredit }}\g<2>
backrefs: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "ocredit" argument in "pam_cracklib.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+ocredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "ocredit" argument to "pam_cracklib.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> ocredit={{ var_password_pam_ocredit }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_argument_result is not skipped and '"ocredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
declare -a DEL_ARGS=()
var_password_pam_ocredit='-1'
VALUES+=("$var_password_pam_ocredit")
VALUE_NAMES+=("ocredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
if [ -n "${DEL_ARGS[$idx]}" ]; then
sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
fi
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Strength Minimum Uppercase Characters
[ref]ruleThe pam_cracklib module's ucredit= parameter controls requirements
for usage of uppercase letters in a password. When set to a negative
number, any password will be required to contain that many uppercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper
case character in passwords. Rationale:Requiring a minimum number of uppercase characters makes password guessing
attacks more difficult by ensuring a larger search space. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_password_pam_ucredit # promote to variable
set_fact:
var_password_pam_ucredit: !!str -1
tags:
- always
- name: Set control_flag fact
ansible.builtin.set_fact:
control_flag: requisite
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_result.stdout is defined and '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- control_flag|length
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "ucredit={{ var_password_pam_ucredit
}}"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+ucredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_ucredit }}\g<2>
backrefs: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "ucredit" argument in "pam_cracklib.so" module
ansible.builtin.shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+ucredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "ucredit" argument to "pam_cracklib.so" module
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> ucredit={{ var_password_pam_ucredit }}\g<2>
backrefs: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- check_pam_module_argument_result is not skipped and '"ucredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
declare -a DEL_ARGS=()
var_password_pam_ucredit='-1'
VALUES+=("$var_password_pam_ucredit")
VALUE_NAMES+=("ucredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
if [ -n "${DEL_ARGS[$idx]}" ]; then
sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
fi
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Hashing Algorithm
[ref]groupThe system's default algorithm for storing password hashes in
/etc/shadow is SHA-512. This can be configured in several
locations. |
| contains 2 rules |
Set PAM Password Hashing Algorithm - system-auth
[ref]ruleThe PAM system service can be configured to only store encrypted representations of passwords.
In "/etc/pam.d/common-password", the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
sha512 and no other hashing
algorithms as shown below:
password required pam_unix.so sha512 other arguments...
This will help ensure that new passwords for local users will be stored using the
sha512 algorithm.Warning:
The hashing algorithms to be used with pam_unix.so are defined with independent module
options. There are at least 7 possible algorithms and likely more algorithms will be
introduced along the time. Due the the number of options and its possible combinations,
the use of multiple hashing algorithm options may bring unexpected behaviors to the
system. For this reason the check will pass only when one hashing algorithm option is
defined and is aligned to the "var_password_hashing_algorithm_pam" variable. The
remediation will ensure the correct option and remove any other extra hashing algorithm
option. Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the crypt_style
configuration option in /etc/libuser.conf ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult. Identifiers:
CCE-85565-0 References:
1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SLES-15-020170, R68, SLES-15-600450255, 0418, 1055, 1402, 8.3.2, 8.3, SV-234886r1009625_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: XCCDF Value var_password_hashing_algorithm_pam # promote to variable
set_fact:
var_password_hashing_algorithm_pam: !!str sha512
tags:
- always
- name: Set PAM Password Hashing Algorithm - system-auth - Check if /etc/pam.d/common-password
file is present
ansible.builtin.stat:
path: /etc/pam.d/common-password
register: result_pam_auth_file_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM Password Hashing Algorithm - system-auth - Check the proper remediation
for the system
block:
- name: Set PAM Password Hashing Algorithm - system-auth - Define the PAM file to
be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/common-password
- name: Set PAM Password Hashing Algorithm - system-auth - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect custom
profile is used if authselect is present
block:
- name: Set PAM Password Hashing Algorithm - system-auth - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set PAM Password Hashing Algorithm - system-auth - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM Password Hashing Algorithm - system-auth - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM Password Hashing Algorithm - system-auth - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM Password Hashing Algorithm - system-auth - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM Password Hashing Algorithm - system-auth - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM Password Hashing Algorithm - system-auth - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set PAM Password Hashing Algorithm - system-auth - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
- name: Set PAM Password Hashing Algorithm - system-auth - Check if expected PAM
module line is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Set PAM Password Hashing Algorithm - system-auth - Include or update the
PAM module line in {{ pam_file_path }}
block:
- name: Set PAM Password Hashing Algorithm - system-auth - Check if required PAM
module line is present in {{ pam_file_path }} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_unix.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure the correct
control for the required PAM module line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_unix.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure the required
PAM module line is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password {{ pam_module_control }} pam_unix.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: Set PAM Password Hashing Algorithm - system-auth - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: required
- name: Set PAM Password Hashing Algorithm - system-auth - Check if the required
PAM module option is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*\s{{
var_password_hashing_algorithm_pam.split("|")[0] }}\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_set_password_hashing_algorithm_systemauth_option_present
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure the "{{ var_password_hashing_algorithm_pam.split("|")[0]
}}" PAM option for "pam_unix.so" is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so.*)
line: \1 {{ var_password_hashing_algorithm_pam.split("|")[0] }}
state: present
register: result_pam_set_password_hashing_algorithm_systemauth_add
when:
- result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found
is defined
- result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found
== 0
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- |-
(result_pam_set_password_hashing_algorithm_systemauth_add is defined and result_pam_set_password_hashing_algorithm_systemauth_add.changed)
or (result_pam_set_password_hashing_algorithm_systemauth_edit is defined and result_pam_set_password_hashing_algorithm_systemauth_edit.changed)
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM Password Hashing Algorithm - system-auth - Check if /etc/pam.d/common-password
File is Present
ansible.builtin.stat:
path: /etc/pam.d/common-password
register: result_pam_auth_file_present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM Password Hashing Algorithm - system-auth - Check The Proper Remediation
For The System
block:
- name: Set PAM Password Hashing Algorithm - system-auth - Define the PAM file to
be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/common-password
- name: Set PAM Password Hashing Algorithm - system-auth - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect custom
profile is used if authselect is present
block:
- name: Set PAM Password Hashing Algorithm - system-auth - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set PAM Password Hashing Algorithm - system-auth - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM Password Hashing Algorithm - system-auth - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM Password Hashing Algorithm - system-auth - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM Password Hashing Algorithm - system-auth - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM Password Hashing Algorithm - system-auth - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM Password Hashing Algorithm - system-auth - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM Password Hashing Algorithm - system-auth - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set PAM Password Hashing Algorithm - system-auth - Check if "{{ pam_file_path
}}" File is Present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: pam_file_path_present
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure That Only the
Correct Hashing Algorithm Option For pam_unix.so Is Used in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*)
replace: \1\2
when:
- item != var_password_hashing_algorithm_pam.split('|')[0]
- pam_file_path_present.stat.exists
loop:
- sha512
- yescrypt
- gost_yescrypt
- blowfish
- sha256
- md5
- bigcrypt
register: result_pam_hashing_options_removal
- name: Set PAM Password Hashing Algorithm - system-auth - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_hashing_options_removal is changed
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q pam; }; then
var_password_hashing_algorithm_pam='sha512'
# Allow multiple algorithms, but choose the first one for remediation
var_password_hashing_algorithm_pam="$(echo $var_password_hashing_algorithm_pam | cut -d \| -f 1)"
PAM_FILE_PATH="/etc/pam.d/common-password"
# Ensure all the hashing algorithm option is removed.
declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$PAM_FILE_PATH"; then
if [ -e "$PAM_FILE_PATH" ] ; then
PAM_FILE_PATH="$PAM_FILE_PATH"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
# If not already in use, a custom profile is created preserving the enabled features.
if [[ ! $CURRENT_PROFILE == custom/* ]]; then
ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
# The "local" profile does not contain essential security features required by multiple Benchmarks.
# If currently used, it is replaced by "sssd", which is the best option in this case.
if [[ $CURRENT_PROFILE == local ]]; then
CURRENT_PROFILE="sssd"
fi
authselect create-profile hardening -b $CURRENT_PROFILE
CURRENT_PROFILE="custom/hardening"
authselect apply-changes -b --backup=before-hardening-custom-profile
authselect select $CURRENT_PROFILE
for feature in $ENABLED_FEATURES; do
authselect enable-feature $feature;
done
authselect apply-changes -b --backup=after-hardening-custom-profile
fi
PAM_FILE_NAME=$(basename "$PAM_FILE_PATH")
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
fi
if grep -qP "^\s*password\s+.*\s+pam_unix.so\s.*\b$hash_option\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "s/(.*password.*.*.*pam_unix.so.*)\b$hash_option\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
authselect apply-changes -b
fi
else
echo "$PAM_FILE_PATH was not found" >&2
fi
fi
done
if [ -e "$PAM_FILE_PATH" ] ; then
PAM_FILE_PATH="$PAM_FILE_PATH"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
# If not already in use, a custom profile is created preserving the enabled features.
if [[ ! $CURRENT_PROFILE == custom/* ]]; then
ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
# The "local" profile does not contain essential security features required by multiple Benchmarks.
# If currently used, it is replaced by "sssd", which is the best option in this case.
if [[ $CURRENT_PROFILE == local ]]; then
CURRENT_PROFILE="sssd"
fi
authselect create-profile hardening -b $CURRENT_PROFILE
CURRENT_PROFILE="custom/hardening"
authselect apply-changes -b --backup=before-hardening-custom-profile
authselect select $CURRENT_PROFILE
for feature in $ENABLED_FEATURES; do
authselect enable-feature $feature;
done
authselect apply-changes -b --backup=after-hardening-custom-profile
fi
PAM_FILE_NAME=$(basename "$PAM_FILE_PATH")
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
fi
if ! grep -qP "^\s*password\s+required\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1required \2/" "$PAM_FILE_PATH"
else
echo "password required pam_unix.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
if ! grep -qP "^\s*password\s+required\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "/\s*password\s+required\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
authselect apply-changes -b
fi
else
echo "$PAM_FILE_PATH was not found" >&2
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Hashing Rounds in /etc/login.defs
[ref]ruleIn /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000.
For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of 5000.Rationale:Passwords need to be protected at all times, and hashing is the standard
method for protecting passwords. If passwords are not hashed, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are hashed with a weak algorithm are no more protected than if
they are kept in plain text.
Using more hashing rounds makes password cracking attacks more difficult. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: XCCDF Value var_password_hashing_min_rounds_login_defs # promote to variable
set_fact:
var_password_hashing_min_rounds_login_defs: !!str 5000
tags:
- always
- name: Set Password Hashing Rounds in /etc/login.defs - extract contents of the file
/etc/login.defs
ansible.builtin.slurp:
src: /etc/login.defs
register: etc_login_defs
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - extract the value of SHA_CRYPT_MIN_ROUNDS
if present
ansible.builtin.set_fact:
etc_login_defs_sha_crypt_min_rounds: '{{ etc_login_defs[''content''] | b64decode
| regex_search(''^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)'', ''\1'', multiline=True)
| default([], true) }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - extract the value of SHA_CRYPT_MAX_ROUNDS
if present
ansible.builtin.set_fact:
etc_login_defs_sha_crypt_max_rounds: '{{ etc_login_defs[''content''] | b64decode
| regex_search(''^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)'', ''\1'', multiline=True)
| default([], true) }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?:\d+)(.*$)
replace: \g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>
backup: false
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- etc_login_defs_sha_crypt_min_rounds is defined and etc_login_defs_sha_crypt_min_rounds
| length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs
| int
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MAX_ROUNDS
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?:\d+)(.*$)
replace: \g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>
backup: false
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- etc_login_defs_sha_crypt_max_rounds is defined and etc_login_defs_sha_crypt_max_rounds
| length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs
| int
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - SHA_CRYPT_MIN_ROUNDS add
configuration if not found
ansible.builtin.lineinfile:
line: SHA_CRYPT_MIN_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}
path: /etc/login.defs
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- etc_login_defs_sha_crypt_min_rounds | length == 0
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - SHA_CRYPT_MAX_ROUNDS add
configuration if not found
ansible.builtin.lineinfile:
line: SHA_CRYPT_MAX_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}
path: /etc/login.defs
state: present
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- etc_login_defs_sha_crypt_max_rounds | length == 0
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
var_password_hashing_min_rounds_login_defs='5000'
config_file=/etc/login.defs
current_min_rounds=$(grep -Po '^\s*SHA_CRYPT_MIN_ROUNDS\s+\K\d+' "$config_file")
current_max_rounds=$(grep -Po '^\s*SHA_CRYPT_MAX_ROUNDS\s+\K\d+' "$config_file")
if [[ -z "$current_min_rounds" || "$current_min_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
if [ -e "/etc/login.defs" ] ; then
LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
else
printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
return 1
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/login.defs"
cp "/etc/login.defs" "/etc/login.defs.bak"
# Insert at the end of the file
printf '%s\n' "SHA_CRYPT_MIN_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
# Clean up after ourselves.
rm "/etc/login.defs.bak"
fi
if [[ -n "$current_max_rounds" && "$current_max_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
if [ -e "/etc/login.defs" ] ; then
LC_ALL=C sed -i "/^\s*SHA_CRYPT_MAX_ROUNDS\s*/Id" "/etc/login.defs"
else
printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
return 1
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/login.defs"
cp "/etc/login.defs" "/etc/login.defs.bak"
# Insert at the end of the file
printf '%s\n' "SHA_CRYPT_MAX_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
# Clean up after ourselves.
rm "/etc/login.defs.bak"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Up a Private Namespace in PAM Configuration
[ref]ruleTo setup a private namespace add the following line to /etc/pam.d/login:
session required pam_namespace.so Rationale:The pam_namespace PAM module sets up a private namespace for a
session with polyinstantiated directories. A polyinstantiated directory
provides a different instance of itself based on user name, or when using
SELinux, user name, security context or both. The polyinstatied directories
can be used to dedicate separate temporary directories to each account. Identifiers:
CCE-91196-6 References:
R55
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91196-6
- enable_pam_namespace
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Make changes to /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
create: false
regexp: ^\s*session\s+required\s+pam_namespace.so\s*$
line: session required pam_namespace.so
state: present
when: ( "pam" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- CCE-91196-6
- enable_pam_namespace
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( ( rpm --quiet -q pam && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ) ); then
if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then
echo "session required pam_namespace.so" >> "/etc/pam.d/login"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Protect Physical Console Access
[ref]groupIt is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console. |
| contains 1 rule |
Configure Logind to terminate idle sessions after certain time of inactivity
[ref]ruleTo configure logind service to terminate inactive user sessions
after 600 seconds, edit the file
/etc/systemd/logind.conf. Ensure that there is a section
[Login] which contains the configuration
StopIdleSessionSec=600 .Rationale:Terminating an idle session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management
session enabled on the console or console port that has been let unattended. Identifiers:
CCE-92692-3 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, FMT_SMF_EXT.1.1, Req-8.1.8, SRG-OS-000163-GPOS-00072, R32
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92692-3
- CJIS-5.5.6
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- logind_session_timeout
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: XCCDF Value var_logind_session_timeout # promote to variable
set_fact:
var_logind_session_timeout: !!str 600
tags:
- always
- name: Set 'StopIdleSessionSec' to '{{ var_logind_session_timeout }}' in the [Login]
section of '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf'
community.general.ini_file:
path: /etc/systemd/logind.conf.d/oscap-idle-sessions.conf
section: Login
option: StopIdleSessionSec
value: '{{ var_logind_session_timeout }}'
create: true
mode: 420
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ( ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.7',
'>=') and ansible_distribution == 'RedHat' and ansible_distribution_version is
version('9.0', '!=') ) or ansible_distribution == 'OracleLinux' and ansible_distribution_version
is version('8.7', '>=') or ansible_distribution == 'SLES' and ansible_distribution_version
is version('15', '>=')
tags:
- CCE-92692-3
- CJIS-5.5.6
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- logind_session_timeout
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { ( ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) ) || ( grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?sles[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="15"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ); }; then
var_logind_session_timeout='600'
# create drop-in in the /etc/systemd/logind.conf.d/ directory
# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf', if it exists, set
# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf'; then
sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf'
elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf'; then
sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf'
else
if test -d "/etc/systemd/logind.conf.d"; then
printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf.d/oscap-idle-sessions.conf'
else
echo "Config file directory '/etc/systemd/logind.conf.d' doesnt exist, not remediating, assuming non-applicability." >&2
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Protect Accounts by Restricting Password-Based Login
[ref]groupConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the /etc/passwd and
/etc/shadow files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary. |
| contains 3 rules |
Set Password Expiration Parameters
[ref]groupThe file /etc/login.defs controls several
password-related settings. Programs such as passwd,
su, and
login consult /etc/login.defs to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page login.defs(5) for more information.
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
PASS_MAX_DAYS and apply it to existing accounts with the
-M flag.
The PASS_MIN_DAYS (-m) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The PASS_WARN_AGE (-W) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
For example, for each existing human user USER, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
$ sudo chage -M 180 -m 7 -W 7 USER |
| contains 2 rules |
Set Password Minimum Length in login.defs
[ref]ruleTo specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN 15
The profile requirement is
15.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements.Rationale:Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result. Identifiers:
CCE-91168-5 References:
1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000078-GPOS-00046, R31, 0421, 0422, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91168-5
- CJIS-5.6.2.1
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(f)
- accounts_password_minlen_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable
set_fact:
var_accounts_password_minlen_login_defs: !!str 15
tags:
- always
- name: Set Password Minimum Length in login.defs
ansible.builtin.lineinfile:
dest: /etc/login.defs
regexp: ^PASS_MIN_LEN *[0-9]*
state: present
line: PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}
create: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"shadow" in ansible_facts.packages'
tags:
- CCE-91168-5
- CJIS-5.6.2.1
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(f)
- accounts_password_minlen_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q shadow; }; then
var_accounts_password_minlen_login_defs='15'
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_MIN_LEN")
# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_password_minlen_login_defs"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^PASS_MIN_LEN\\>" "/etc/login.defs"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^PASS_MIN_LEN\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
fi
cce="CCE-91168-5"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Root Account Password Maximum Age
[ref]ruleConfigure the root account to enforce a 365-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 365 root Rationale:Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised. |
Restrict Root Logins
[ref]groupDirect root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use su or sudo to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The login program
uses the file /etc/securetty to determine which interfaces
should allow root logins.
The virtual devices /dev/console
and /dev/tty* represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains /dev/vc/*.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Root should also be prohibited from connecting
via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH. |
| contains 1 rule |
Direct root Logins Not Allowed
[ref]ruleTo further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, SUSE Linux Enterprise 15's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
Warning:
This rule only checks the /etc/securetty file existence and its content.
If you need to restrict user access using the /etc/securetty file, make sure
the pam_securetty.so PAM module is properly enabled in relevant PAM files. Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems. Identifiers:
CCE-91427-5 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, 5.5, R33, 8.6.1, 8.6
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91427-5
- NIST-800-171-3.1.1
- NIST-800-171-3.1.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- low_complexity
- low_disruption
- medium_severity
- no_direct_root_logins
- no_reboot_needed
- restrict_strategy
- name: Direct root Logins Not Allowed
ansible.builtin.copy:
dest: /etc/securetty
content: ''
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91427-5
- NIST-800-171-3.1.1
- NIST-800-171-3.1.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- low_complexity
- low_disruption
- medium_severity
- no_direct_root_logins
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
echo > /etc/securetty
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Secure Session Configuration Files for Login Accounts
[ref]groupWhen a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators. |
| contains 9 rules |
Configure Polyinstantiation of /tmp Directories
[ref]ruleTo configure polyinstantiated /tmp directories, first create the parent directories
which will hold the polyinstantiation child directories. Use the following command:
$ sudo mkdir --mode 000 /tmp/tmp-inst
Then, add the following entry to /etc/security/namespace.conf:
/tmp /tmp/tmp-inst/ level root,adm Rationale:Polyinstantiation of temporary directories is a proactive security measure
which reduces chances of attacks that are made possible by /tmp
directories being world-writable. Identifiers:
CCE-91197-4 References:
R55
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91197-4
- accounts_polyinstantiated_tmp
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Create /tmp/tmp-inst directory
ansible.builtin.file:
path: /tmp/tmp-inst
state: directory
mode: '000'
seuser: system_u
serole: object_r
setype: tmp_t
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91197-4
- accounts_polyinstantiated_tmp
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Make changes to /etc/security/namespace.conf
ansible.builtin.lineinfile:
path: /etc/security/namespace.conf
create: false
regexp: ^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$
line: /tmp /tmp/tmp-inst/ level root,adm
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91197-4
- accounts_polyinstantiated_tmp
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# shellcheck disable=SC2174
mkdir -p --mode 000 /tmp/tmp-inst
chmod 000 /tmp/tmp-inst
chcon --reference=/tmp /tmp/tmp-inst
if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then
sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf
fi
echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Polyinstantiation of /var/tmp Directories
[ref]ruleTo configure polyinstantiated /tmp directories, first create the parent directories
which will hold the polyinstantiation child directories. Use the following command:
$ sudo mkdir --mode 000 /var/tmp/tmp-inst
Then, add the following entry to /etc/security/namespace.conf:
/var/tmp /var/tmp/tmp-inst/ level root,adm Rationale:Polyinstantiation of temporary directories is a proactive security measure
which reduces chances of attacks that are made possible by /var/tmp
directories being world-writable. Identifiers:
CCE-91198-2 References:
R55
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91198-2
- accounts_polyinstantiated_var_tmp
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Create /var/tmp/tmp-inst directory
ansible.builtin.file:
path: /var/tmp/tmp-inst
state: directory
mode: '000'
seuser: system_u
serole: object_r
setype: tmp_t
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91198-2
- accounts_polyinstantiated_var_tmp
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Make changes to /etc/security/namespace.conf
ansible.builtin.lineinfile:
path: /etc/security/namespace.conf
create: false
regexp: ^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$
line: /var/tmp /var/tmp/tmp-inst/ level root,adm
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91198-2
- accounts_polyinstantiated_var_tmp
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# shellcheck disable=SC2174
mkdir -p --mode 000 /var/tmp/tmp-inst
chmod 000 /var/tmp/tmp-inst
chcon --reference=/var/tmp /var/tmp/tmp-inst
if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then
sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf
fi
echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Interactive Session Timeout
[ref]ruleSetting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity. A value of 0 (zero)
disables the automatic logout feature and is therefore not a compliant setting.
The value of TMOUT should be a positive integer, exported, and read only.
The TMOUT
setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT=600
readonly TMOUT
export TMOUTRationale:Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended. Identifiers:
CCE-83269-1 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SLES-15-010130, 5.4.4, R32, SLES-15-600600240, 8.6.1, 8.6, SV-234813r1009561_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83269-1
- DISA-STIG-SLES-15-010130
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_accounts_tmout # promote to variable
set_fact:
var_accounts_tmout: !!str 600
tags:
- always
- name: Set Interactive Session Timeout
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*TMOUT=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/profile.d/autologout.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*TMOUT=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/profile.d/autologout.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*TMOUT=
line: TMOUT={{ var_accounts_tmout }}
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83269-1
- DISA-STIG-SLES-15-010130
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interactive Session Timeout
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*readonly\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/profile.d/autologout.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*readonly\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/profile.d/autologout.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*readonly\s+
line: readonly TMOUT
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83269-1
- DISA-STIG-SLES-15-010130
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interactive Session Timeout
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*export\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/profile.d/autologout.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*export\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/profile.d/autologout.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/autologout.sh
create: true
regexp: (?i)^\s*export\s+
line: export TMOUT
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83269-1
- DISA-STIG-SLES-15-010130
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set the permission for /etc/profile.d/autologout.sh
ansible.builtin.file:
path: /etc/profile.d/autologout.sh
mode: '0755'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- lookup('ansible.builtin.file', '/etc/profile.d/autologout.sh', errors='warn')
tags:
- CCE-83269-1
- DISA-STIG-SLES-15-010130
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
var_accounts_tmout='600'
if [ -f /etc/profile.d/autologout.sh ]; then
if grep --silent '^\s*TMOUT' /etc/profile.d/autologout.sh ; then
sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" /etc/profile.d/autologout.sh
fi
else
echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/autologout.sh
echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/autologout.sh
fi
if ! grep --silent '^\s*readonly TMOUT' /etc/profile.d/autologout.sh ; then
echo "readonly TMOUT" >> /etc/profile.d/autologout.sh
fi
if ! grep --silent '^\s*export TMOUT' /etc/profile.d/autologout.sh ; then
echo "export TMOUT" >> /etc/profile.d/autologout.sh
fi
chmod +x /etc/profile.d/autologout.sh
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
User Initialization Files Must Be Group-Owned By The Primary Group
[ref]ruleChange the group owner of interactive users files to the group found
in /etc/passwd for the user. To change the group owner of a local
interactive user home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
This rule ensures every initialization file related to an interactive user
is group-owned by an interactive user.Warning:
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of their respective initialization files. Local initialization files for interactive users are used to configure the
user's shell environment upon logon. Malicious modification of these files could
compromise accounts upon logon. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91408-5
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Get interactive
users from passwd file
ansible.builtin.getent:
database: passwd
register: passwd_entries
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91408-5
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Create
list of interactive users with GID and home directory
ansible.builtin.set_fact:
interactive_users: '{{ interactive_users | default([]) + [{''home'': item.value[4],
''gid'': item.value[2]}] }}'
loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.value[1] | int >= 1000 | int
- item.value[1] | int != 65534 | int
- item.value[4] != ""
tags:
- CCE-91408-5
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Find
dot files in interactive user home directories
ansible.builtin.find:
paths: '{{ item.home }}'
patterns: .*
file_type: file
hidden: true
depth: 1
follow: false
register: user_dotfiles
loop: '{{ interactive_users | default([]) }}'
failed_when: false
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.home != ""
tags:
- CCE-91408-5
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Set correct
group ownership for user initialization files
ansible.builtin.file:
path: '{{ item.1.path }}'
group: '{{ item.0.item.gid }}'
follow: false
loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.0 is not skipped
- item.1.path is defined
tags:
- CCE-91408-5
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
awk -F: '{if ($3 >= 1000 && $3 != 65534) print $4":"$6}' /etc/passwd | while IFS=: read -r gid home; do find -P "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chgrp -f --no-dereference -- $gid "{}" \;; done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
User Initialization Files Must Be Owned By the Primary User
[ref]ruleSet the owner of the user initialization files for interactive users to
the primary owner with the following command:
$ sudo chown USER /home/USER/.*
This rule ensures every initialization file related to an interactive user
is owned by an interactive user.Warning:
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the ownership of
their respective initialization files. Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91409-3
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Get interactive
users from passwd file
ansible.builtin.getent:
database: passwd
register: passwd_entries
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91409-3
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Create list
of interactive users with UID and home directory
ansible.builtin.set_fact:
interactive_users: '{{ interactive_users | default([]) + [{''uid'': item.value[1],
''home'': item.value[4], ''username'': item.key}] }}'
loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.value[1] | int >= 1000 | int
- item.value[1] | int != 65534 | int
- item.value[4] != ""
tags:
- CCE-91409-3
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Find dot files
in interactive user home directories
ansible.builtin.find:
paths: '{{ item.home }}'
patterns: .*
file_type: file
hidden: true
depth: 1
follow: false
register: user_dotfiles
loop: '{{ interactive_users | default([]) }}'
failed_when: false
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.home != ""
tags:
- CCE-91409-3
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Set correct
ownership for user initialization files
ansible.builtin.file:
path: '{{ item.1.path }}'
owner: '{{ item.0.item.username }}'
follow: false
loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.0 is not skipped
- item.0 is not failed
- item.0.item is defined
- item.0.item.username is defined
- item.1.path is defined
tags:
- CCE-91409-3
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
awk -F: '{if ($3 >= 1000 && $3 != 65534) print $3":"$6}' /etc/passwd | while IFS=: read -r uid home; do find -P "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chown -f --no-dereference -- $uid "{}" \;; done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
[ref]ruleChange the group of a local interactive users files and directories to a
group that the interactive user is a member of. To change the group owner of a
local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
This rule ensures every file or directory under the home directory related
to an interactive user is group-owned by an interactive user.Warning:
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of folders or files in their respective home directories. If a local interactive users files are group-owned by a group of which the
user is not a member, unintended users may be able to access them. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91405-1
- accounts_users_home_files_groupownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91405-1
- accounts_users_home_files_groupownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Create local_users variable from the getent output
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91405-1
- accounts_users_home_files_groupownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Test for existence of home directories to avoid creating them, but only fixing
ownership
ansible.builtin.stat:
path: '{{ item.value[4] }}'
register: path_exists
loop: '{{ local_users }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.value[1]|int >= 1000
- item.value[1]|int != 65534
- item.value[4] != "/"
tags:
- CCE-91405-1
- accounts_users_home_files_groupownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure interactive local users are the owners of their respective home directories
ansible.builtin.file:
path: '{{ item.0.value[4] }}'
group: '{{ item.0.value[2] }}'
recurse: true
loop: '{{ local_users|zip(path_exists.results)|list }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.1.stat is defined and item.1.stat.exists
tags:
- CCE-91405-1
- accounts_users_home_files_groupownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534 && $6 != "/") print $1 }' /etc/passwd); do
home_dir=$(getent passwd $user | cut -d: -f6)
group=$(getent passwd $user | cut -d: -f4)
# Only update the group-ownership when necessary. This will avoid changing the inode timestamp
# when the group is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find $home_dir -not -group $group -exec chgrp -f --no-dereference $group {} \;
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
All User Files and Directories In The Home Directory Must Have a Valid Owner
[ref]ruleEither remove all files and directories from the system that
do not have a valid user, or assign a valid user to all unowned
files and directories. To assign a valid owner to a local
interactive user's files and directories, use the following command:
$ sudo chown -R USER /home/USER
This rule ensures every file or directory under the home directory related
to an interactive user is owned by an interactive user.Warning:
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the ownership of
folders or files in their respective home directories. If local interactive users do not own the files in their directories,
unauthorized users may be able to access them. Additionally, if files are not
owned by the user, this could be an indication of system compromise. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91406-9
- accounts_users_home_files_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91406-9
- accounts_users_home_files_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Create local_users variable from the getent output
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91406-9
- accounts_users_home_files_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Test for existence of home directories to avoid creating them, but only fixing
ownership
ansible.builtin.stat:
path: '{{ item.value[4] }}'
register: path_exists
loop: '{{ local_users }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.value[1]|int >= 1000
- item.value[1]|int != 65534
- item.value[4] != "/"
tags:
- CCE-91406-9
- accounts_users_home_files_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure interactive local users are the owners of their respective home directories
ansible.builtin.file:
path: '{{ item.0.value[4] }}'
owner: '{{ item.0.value[1] }}'
recurse: true
loop: '{{ local_users|zip(path_exists.results)|list }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.1.stat is defined and item.1.stat.exists
tags:
- CCE-91406-9
- accounts_users_home_files_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534 && $6 != "/") print $1 }' /etc/passwd); do
home_dir=$(getent passwd $user | cut -d: -f6)
# Only update the ownership when necessary. This will avoid changing the inode timestamp
# when the owner is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find $home_dir -not -user $user -exec chown -f --no-dereference $user {} \;
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
[ref]ruleSet the mode on files and directories in the local interactive user home
directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIR
Files that begin with a "." are excluded from this requirement.Rationale:If a local interactive user files have excessive permissions, unintended users
may be able to access or modify them. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91403-6
- accounts_users_home_files_permissions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91403-6
- accounts_users_home_files_permissions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Create local_users variable from the getent output
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91403-6
- accounts_users_home_files_permissions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Test for existence home directories to avoid creating them.
ansible.builtin.stat:
path: '{{ item.value[4] }}'
register: path_exists
loop: '{{ local_users }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.value[1]|int >= 1000
- item.value[1]|int != 65534
- item.value[4] != "/"
tags:
- CCE-91403-6
- accounts_users_home_files_permissions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure interactive local users have proper permissions on their respective
home directories
ansible.builtin.file:
path: '{{ item.0.value[4] }}'
mode: u-s,g-w-s,o=-
follow: false
recurse: true
loop: '{{ local_users|zip(path_exists.results)|list }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- item.1.stat is defined and item.1.stat.exists
tags:
- CCE-91403-6
- accounts_users_home_files_permissions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534 && $6 != "/") print $6 }' /etc/passwd); do
# Only update the permissions when necessary. This will avoid changing the inode timestamp when
# the permission is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find "$home_dir" -perm /7027 \! -type l -exec chmod u-s,g-w-s,o=- {} \;
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
[ref]ruleSet the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE Rationale:Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: XCCDF Value var_user_initialization_files_regex # promote to variable
set_fact:
var_user_initialization_files_regex: !!str ^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$
tags:
- always
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Gather
User Info
ansible.builtin.getent:
database: passwd
tags:
- CCE-85630-2
- DISA-STIG-SLES-15-040110
- file_permission_user_init_files
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Find
Init Files
ansible.builtin.find:
paths: '{{ item.value[4] }}'
pattern: '{{ var_user_initialization_files_regex }}'
hidden: true
use_regex: true
with_dict: '{{ ansible_facts.getent_passwd }}'
when:
- item.value[4] != "/sbin/nologin"
- item.key not in ["nobody", "nfsnobody"]
- item.value[1] | int >= 1000
register: found_init_files
tags:
- CCE-85630-2
- DISA-STIG-SLES-15-040110
- file_permission_user_init_files
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Fix
Init Files Permissions
ansible.builtin.file:
path: '{{ item.1.path }}'
mode: u-s,g-wxs,o=
loop: '{{ q(''ansible.builtin.subelements'', found_init_files.results, ''files'',
{''skip_missing'': True}) }}'
tags:
- CCE-85630-2
- DISA-STIG-SLES-15-040110
- file_permission_user_init_files
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
var_user_initialization_files_regex='^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$'
readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd)
readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd)
readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd)
USERS_IGNORED_REGEX='nobody|nfsnobody'
for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
[ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \
-exec basename {} \; | grep -P "$var_user_initialization_files_regex")
for file in "${init_files[@]}"; do
chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file"
done
fi
done
|
GRUB2 bootloader configuration
[ref]groupDuring the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default SUSE Linux Enterprise 15 boot loader for x86 systems is called GRUB2.
Options it can pass to the kernel include single-user mode, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly. |
| contains 8 rules |
Non-UEFI GRUB2 bootloader configuration
[ref]groupNon-UEFI GRUB2 bootloader configuration |
| contains 1 rule |
Set Boot Loader Password in grub2
[ref]ruleThe grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg Warning:
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. Identifiers:
CCE-83274-1 References:
1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, SLES-15-010190, 1.5.1, R5, SLES-15-150600015, SV-234819r958472_rule |
UEFI GRUB2 bootloader configuration
[ref]groupUEFI GRUB2 bootloader configuration Warning:
UEFI generally uses vfat file systems, which does not support Unix-style permissions
managed by chmod command. In this case, in order to change file permissions for files
within /boot/efi it is necessary to update the mount options in /etc/fstab file and
reboot the system. |
| contains 1 rule |
Set the UEFI Boot Loader Password
[ref]ruleThe grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg Warning:
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. Identifiers:
CCE-83275-8 References:
11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, SLES-15-010200, 1.5.1, R5, SLES-15-150600015, SV-234820r958472_rule |
Configure L1 Terminal Fault mitigations
[ref]ruleL1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
speculative access to data which is available in the Level 1 Data Cache when
the page table entry isn't present.
Select the appropriate mitigation by adding the argument
l1tf=full,force to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain l1tf=full,force as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) l1tf=full,force"
Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the
following command:
cat /sys/devices/system/cpu/vulnerabilities/l1tfWarning:
Enabling L1TF mitigations may impact performance of the system. The L1TF vulnerability allows an attacker to bypass memory access security controls imposed
by the system or hypervisor. The L1TF vulnerability allows read access to any physical memory
location that is cached in the L1 Data Cache. Remediation script: (show)
[customizations.kernel]
append = "l1tf=full,force"
| Complexity: | medium |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: XCCDF Value var_l1tf_options # promote to variable
set_fact:
var_l1tf_options: !!str full,force
tags:
- always
- name: Check l1tf argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*l1tf=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: argcheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check l1tf argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: linecheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add l1tf argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="l1tf={{ var_l1tf_options }} "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Replace existing l1tf argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: l1tf=[a-zA-Z0-9,]+
replace: l1tf={{ var_l1tf_options }}
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add l1tf argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 l1tf={{ var_l1tf_options }}"
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_l1tf_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2 && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
var_l1tf_options='full,force'
if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "l1tf" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"l1tf=[^\"]*\"(.*]\s*)/\1\"l1tf=$var_l1tf_options\"\2/" "$KARGS_DIR/*.toml"
else
echo "kargs = [\"l1tf=$var_l1tf_options\"]" >> "$KARGS_DIR/10-l1tf.toml"
fi
else
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*l1tf=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an l1tf= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)l1tf=[^[:space:]]\+\(.*\"\)/\1l1tf=$var_l1tf_options\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no l1tf=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 l1tf=$var_l1tf_options\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"l1tf=$var_l1tf_options\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Force kernel panic on uncorrected MCEs
[ref]ruleA Machine Check Exception is an error generated by the CPU itdetects an error
in itself, memory or I/O devices.
These errors may be corrected and generate a check log entry, if an error
cannot be corrected the kernel may panic or SIGBUS.
To force the kernel to panic on any uncorrected error reported by Machine Check
set the MCE tolerance to zero by adding mce=0
to the default GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain mce=0 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mce=0" Rationale:Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue
trying to exploit a vulnerability such as Rowhammer. Remediation script: (show)
[customizations.kernel]
append = "mce=0"
| Complexity: | medium |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check mce argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*mce=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: argcheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check mce argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: linecheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Add mce argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="mce=0 "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Replace existing mce argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: mce=[a-zA-Z0-9,]+
replace: mce=0
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Add mce argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 mce=0"
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_mce_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2 && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "mce" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"mce=[^\"]*\"(.*]\s*)/\1\"mce=0\"\2/" "$KARGS_DIR/*.toml"
else
echo "kargs = [\"mce=0\"]" >> "$KARGS_DIR/10-mce.toml"
fi
else
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*mce=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an mce= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)mce=[^[:space:]]\+\(.*\"\)/\1mce=0\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no mce=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 mce=0\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"mce=0\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure the confidence in TPM for entropy
[ref]ruleThe TPM security chip that is available in most modern systems has a hardware RNG.
It is also used to feed the entropy pool, but generally not credited entropy.
Use rng_core.default_quality in the kernel command line to set the trust
level on the hardware generators. The trust level defines the amount of entropy to credit.
A value of 0 tells the system not to trust the hardware random number generators
available, and doesn't credit any entropy to the pool.
A value of 1000 assigns full confidence in the generators, and credits all the
entropy it provides to the pool.
Note that the value of rng_core.default_quality is global, affecting the trust
on all hardware random number generators.
Select the appropriate confidence by adding the argument
rng_core.default_quality=500 to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain rng_core.default_quality=500 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) rng_core.default_quality=500" Rationale:A system may struggle to initialize its entropy pool and end up starving. Crediting entropy
from the hardware number generators available in the system helps fill up the entropy pool. Remediation script: (show)
[customizations.kernel]
append = "rng_core.default_quality=500"
| Complexity: | medium |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: XCCDF Value var_rng_core_default_quality # promote to variable
set_fact:
var_rng_core_default_quality: !!str 500
tags:
- always
- name: Check rng_core.default_quality argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*rng_core.default_quality='
/etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: argcheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check rng_core.default_quality argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: linecheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add rng_core.default_quality argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="rng_core.default_quality={{ var_rng_core_default_quality
}} "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Replace existing rng_core.default_quality argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: rng_core.default_quality=[a-zA-Z0-9,]+
replace: rng_core.default_quality={{ var_rng_core_default_quality }}
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add rng_core.default_quality argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 rng_core.default_quality={{ var_rng_core_default_quality }}"
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_rng_core_default_quality_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2 && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
var_rng_core_default_quality='500'
if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "rng_core.default_quality" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"rng_core.default_quality=[^\"]*\"(.*]\s*)/\1\"rng_core.default_quality=$var_rng_core_default_quality\"\2/" "$KARGS_DIR/*.toml"
else
echo "kargs = [\"rng_core.default_quality=$var_rng_core_default_quality\"]" >> "$KARGS_DIR/10-rng_core_default_quality.toml"
fi
else
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*rng_core.default_quality=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an rng_core.default_quality= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)rng_core.default_quality=[^[:space:]]\+\(.*\"\)/\1rng_core.default_quality=$var_rng_core_default_quality\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no rng_core.default_quality=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 rng_core.default_quality=$var_rng_core_default_quality\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"rng_core.default_quality=$var_rng_core_default_quality\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable merging of slabs with similar size
[ref]ruleThe kernel may merge similar slabs together to reduce overhead and increase
cache hotness of objects.
Disabling merging of slabs keeps the slabs separate and reduces the risk of
kernel heap overflows overwriting objects in merged caches.
To disable merging of slabs in the Kernel add the argument slab_nomerge=yes
to the default GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain slab_nomerge=yes as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slab_nomerge=yes" Warning:
Disabling merge of slabs will slightly increase kernel memory utilization. Disabling the merge of slabs of similar sizes prevents the kernel from
merging a seemingly useless but vulnerable slab with a useful and valuable slab.
This increase the risk that a heap overflow could overwrite objects from merged caches,
with unmerged caches the heap overflow would only affect the objects in the same cache.
Overall, this reduces the kernel attack surface area by isolating slabs from each other. Remediation script: (show)
[customizations.kernel]
append = "slab_nomerge=yes"
| Complexity: | medium |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check slab_nomerge argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*slab_nomerge=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: argcheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check slab_nomerge argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: linecheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Add slab_nomerge argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="slab_nomerge=yes "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Replace existing slab_nomerge argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: slab_nomerge=[a-zA-Z0-9,]+
replace: slab_nomerge=yes
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Add slab_nomerge argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 slab_nomerge=yes"
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_slab_nomerge_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2 && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "slab_nomerge" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"slab_nomerge=[^\"]*\"(.*]\s*)/\1\"slab_nomerge=yes\"\2/" "$KARGS_DIR/*.toml"
else
echo "kargs = [\"slab_nomerge=yes\"]" >> "$KARGS_DIR/10-slab_nomerge.toml"
fi
else
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*slab_nomerge=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an slab_nomerge= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)slab_nomerge=[^[:space:]]\+\(.*\"\)/\1slab_nomerge=yes\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no slab_nomerge=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 slab_nomerge=yes\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"slab_nomerge=yes\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Speculative Store Bypass Mitigation
[ref]ruleCertain CPUs are vulnerable to an exploit against a common wide industry wide performance
optimization known as Speculative Store Bypass (SSB).
In such cases, recent stores to the same memory location cannot always be observed by later
loads during speculative execution. However, such stores are unlikely and thus they can be
detected prior to instruction retirement at the end of a particular speculation execution
window.
Since Linux Kernel 4.17 you can check the SSB mitigation state with the following command:
cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Select the appropriate SSB state by adding the argument
spec_store_bypass_disable=seccomp to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain spec_store_bypass_disable=seccomp as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spec_store_bypass_disable=seccomp" Warning:
Disabling Speculative Store Bypass may impact performance of the system. In vulnerable processors, the speculatively forwarded store can be used in a cache side channel
attack. An example of this is reading memory to which the attacker does not directly have access,
for example inside the sandboxed code. Remediation script: (show)
[customizations.kernel]
append = "spec_store_bypass_disable=seccomp"
| Complexity: | medium |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: XCCDF Value var_spec_store_bypass_disable_options # promote to variable
set_fact:
var_spec_store_bypass_disable_options: !!str seccomp
tags:
- always
- name: Check spec_store_bypass_disable argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*spec_store_bypass_disable='
/etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: argcheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check spec_store_bypass_disable argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: linecheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Add spec_store_bypass_disable argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="spec_store_bypass_disable={{ var_spec_store_bypass_disable_options
}} "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Replace existing spec_store_bypass_disable argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: spec_store_bypass_disable=[a-zA-Z0-9,]+
replace: spec_store_bypass_disable={{ var_spec_store_bypass_disable_options }}
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Add spec_store_bypass_disable argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 spec_store_bypass_disable={{ var_spec_store_bypass_disable_options
}}"
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_spec_store_bypass_disable_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2 && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
var_spec_store_bypass_disable_options='seccomp'
if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "spec_store_bypass_disable" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"spec_store_bypass_disable=[^\"]*\"(.*]\s*)/\1\"spec_store_bypass_disable=$var_spec_store_bypass_disable_options\"\2/" "$KARGS_DIR/*.toml"
else
echo "kargs = [\"spec_store_bypass_disable=$var_spec_store_bypass_disable_options\"]" >> "$KARGS_DIR/10-spec_store_bypass_disable.toml"
fi
else
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*spec_store_bypass_disable=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an spec_store_bypass_disable= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)spec_store_bypass_disable=[^[:space:]]\+\(.*\"\)/\1spec_store_bypass_disable=$var_spec_store_bypass_disable_options\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no spec_store_bypass_disable=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 spec_store_bypass_disable=$var_spec_store_bypass_disable_options\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"spec_store_bypass_disable=$var_spec_store_bypass_disable_options\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enforce Spectre v2 mitigation
[ref]ruleSpectre V2 is an indirect branch poisoning attack that can lead to data leakage.
An exploit for Spectre V2 tricks the indirect branch predictor into executing
code from a future indirect branch chosen by the attacker, even if the privilege
level is different.
Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Enforce the Spectre V2 mitigation by adding the argument
spectre_v2=on to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain spectre_v2=on as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spectre_v2=on" Rationale:The Spectre V2 vulnerability allows an attacker to read memory that he should not have
access to. Remediation script: (show)
[customizations.kernel]
append = "spectre_v2=on"
| Complexity: | medium |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check spectre_v2 argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*spectre_v2=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: argcheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check spectre_v2 argument exists
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
check_mode: false
failed_when: false
changed_when: false
register: linecheck
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add spectre_v2 argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="spectre_v2=on "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Replace existing spectre_v2 argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: spectre_v2=[a-zA-Z0-9,]+
replace: spectre_v2=on
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add spectre_v2 argument
ansible.builtin.replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 spectre_v2=on"
when:
- ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when: ( "grub2" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
tags:
- grub2_spectre_v2_argument
- high_severity
- low_disruption
- medium_complexity
- reboot_required
- restrict_strategy
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2 && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "spectre_v2" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"spectre_v2=[^\"]*\"(.*]\s*)/\1\"spectre_v2=on\"\2/" "$KARGS_DIR/*.toml"
else
echo "kargs = [\"spectre_v2=on\"]" >> "$KARGS_DIR/10-spectre_v2.toml"
fi
else
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*spectre_v2=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an spectre_v2= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)spectre_v2=[^[:space:]]\+\(.*\"\)/\1spectre_v2=on\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no spectre_v2=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 spectre_v2=on\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"spectre_v2=on\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Network Configuration and Firewalls
[ref]groupMost systems must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks. |
| contains 51 rules |
IPSec Support
[ref]groupSupport for Internet Protocol Security (IPsec)
is provided with Libreswan. |
| contains 9 rules |
Verify Group Who Owns /etc/ipsec.d Directory
[ref]rule To properly set the group owner of /etc/ipsec.d, run the command:
$ sudo chgrp root /etc/ipsec.d
Rationale:The ownership of the /etc/ipsec.d directory by the root group is important
because this directory hosts Libreswan configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92499-3
- configure_strategy
- directory_groupowner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- directory_groupowner_etc_ipsecd_newgroup is undefined
tags:
- CCE-92499-3
- configure_strategy
- directory_groupowner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_groupowner_etc_ipsecd_newgroup variable if root found
ansible.builtin.set_fact:
directory_groupowner_etc_ipsecd_newgroup: root
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92499-3
- configure_strategy
- directory_groupowner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ipsec.d/
ansible.builtin.file:
path: /etc/ipsec.d/
follow: false
state: directory
group: '{{ directory_groupowner_etc_ipsecd_newgroup }}'
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92499-3
- configure_strategy
- directory_groupowner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
find -P /etc/ipsec.d/ -maxdepth 0 -type d ! -group root -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/ipsec.d Directory
[ref]rule To properly set the owner of /etc/ipsec.d, run the command:
$ sudo chown root /etc/ipsec.d
Rationale:The ownership of the /etc/ipsec.d directory by the root user is important
because this directory hosts Libreswan configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92508-1
- configure_strategy
- directory_owner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_owner_etc_ipsecd_newown variable if represented by uid
ansible.builtin.set_fact:
directory_owner_etc_ipsecd_newown: '0'
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92508-1
- configure_strategy
- directory_owner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/ipsec.d/
ansible.builtin.file:
path: /etc/ipsec.d/
follow: false
state: directory
owner: '{{ directory_owner_etc_ipsecd_newown }}'
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92508-1
- configure_strategy
- directory_owner_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/ipsec.d/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/ipsec.d Directory
[ref]rule To properly set the permissions of /etc/ipsec.d, run the command: $ sudo chmod 0700 /etc/ipsec.d Rationale:Setting correct permissions on the /etc/ipsec.d directory is important
because this directory hosts Libreswan configuration. Protection of this
directory is critical for system security. Restricting the permissions
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92517-2
- configure_strategy
- directory_permissions_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ipsec.d/ file(s)
ansible.builtin.command: 'find -P /etc/ipsec.d/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type
d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92517-2
- configure_strategy
- directory_permissions_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/ipsec.d/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92517-2
- configure_strategy
- directory_permissions_etc_ipsecd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
find -H /etc/ipsec.d/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns /etc/ipsec.conf File
[ref]rule To properly set the group owner of /etc/ipsec.conf, run the command:
$ sudo chgrp root /etc/ipsec.conf
Rationale:The ownership of the /etc/ipsec.conf file by the root group is important
because this file hosts Libreswan configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92535-4
- configure_strategy
- file_groupowner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_groupowner_etc_ipsec_conf_newgroup is undefined
tags:
- CCE-92535-4
- configure_strategy
- file_groupowner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_ipsec_conf_newgroup variable if root found
ansible.builtin.set_fact:
file_groupowner_etc_ipsec_conf_newgroup: root
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92535-4
- configure_strategy
- file_groupowner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ipsec.conf
ansible.builtin.stat:
path: /etc/ipsec.conf
register: file_exists
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92535-4
- configure_strategy
- file_groupowner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ipsec.conf
ansible.builtin.file:
path: /etc/ipsec.conf
follow: false
group: '{{ file_groupowner_etc_ipsec_conf_newgroup }}'
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-92535-4
- configure_strategy
- file_groupowner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/ipsec.conf" | grep -E -w -q "root"; then
chgrp --no-dereference "$newgroup" /etc/ipsec.conf
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns /etc/ipsec.secrets File
[ref]rule To properly set the group owner of /etc/ipsec.secrets, run the command:
$ sudo chgrp root /etc/ipsec.secrets
Rationale:The ownership of the /etc/ipsec.secrets file by the root group is important
because this file hosts Libreswan configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92537-0
- configure_strategy
- file_groupowner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_groupowner_etc_ipsec_secrets_newgroup is undefined
tags:
- CCE-92537-0
- configure_strategy
- file_groupowner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_ipsec_secrets_newgroup variable if root found
ansible.builtin.set_fact:
file_groupowner_etc_ipsec_secrets_newgroup: root
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92537-0
- configure_strategy
- file_groupowner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ipsec.secrets
ansible.builtin.stat:
path: /etc/ipsec.secrets
register: file_exists
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- CCE-92537-0
- configure_strategy
- file_groupowner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ipsec.secrets
ansible.builtin.file:
path: /etc/ipsec.secrets
follow: false
group: '{{ file_groupowner_etc_ipsec_secrets_newgroup }}'
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-92537-0
- configure_strategy
- file_groupowner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/ipsec.secrets" | grep -E -w -q "root"; then
chgrp --no-dereference "$newgroup" /etc/ipsec.secrets
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/ipsec.conf File
[ref]rule To properly set the owner of /etc/ipsec.conf, run the command:
$ sudo chown root /etc/ipsec.conf
Rationale:The ownership of the /etc/ipsec.conf file by the root user is important
because this file hosts Libreswan configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_owner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_ipsec_conf_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_ipsec_conf_newown: '0'
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- configure_strategy
- file_owner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ipsec.conf
ansible.builtin.stat:
path: /etc/ipsec.conf
register: file_exists
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- configure_strategy
- file_owner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ipsec.conf
ansible.builtin.file:
path: /etc/ipsec.conf
follow: false
owner: '{{ file_owner_etc_ipsec_conf_newown }}'
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_owner_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/ipsec.conf" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/ipsec.conf
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/ipsec.secrets File
[ref]rule To properly set the owner of /etc/ipsec.secrets, run the command:
$ sudo chown root /etc/ipsec.secrets
Rationale:The ownership of the /etc/ipsec.secrets file by the root user is important
because this file hosts Libreswan configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_owner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_ipsec_secrets_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_ipsec_secrets_newown: '0'
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- configure_strategy
- file_owner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ipsec.secrets
ansible.builtin.stat:
path: /etc/ipsec.secrets
register: file_exists
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- configure_strategy
- file_owner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ipsec.secrets
ansible.builtin.file:
path: /etc/ipsec.secrets
follow: false
owner: '{{ file_owner_etc_ipsec_secrets_newown }}'
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_owner_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/ipsec.secrets" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/ipsec.secrets
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/ipsec.conf File
[ref]rule To properly set the permissions of /etc/ipsec.conf, run the command: $ sudo chmod 0644 /etc/ipsec.conf Rationale:Setting correct permissions on the /etc/ipsec.conf file is important
because this file hosts Libreswan configuration. Protection of this
file is critical for system security. Restricting the permissions
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_permissions_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ipsec.conf
ansible.builtin.stat:
path: /etc/ipsec.conf
register: file_exists
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- configure_strategy
- file_permissions_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/ipsec.conf
ansible.builtin.file:
path: /etc/ipsec.conf
mode: u-xs,g-xws,o-xwt
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_permissions_etc_ipsec_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
chmod u-xs,g-xws,o-xwt /etc/ipsec.conf
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/ipsec.secrets File
[ref]rule To properly set the permissions of /etc/ipsec.secrets, run the command: $ sudo chmod 0644 /etc/ipsec.secrets Rationale:Setting correct permissions on the /etc/ipsec.secrets file is important
because this file hosts Libreswan configuration. Protection of this
file is critical for system security. Restricting the permissions
ensures exclusive control of the Libreswan configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_permissions_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ipsec.secrets
ansible.builtin.stat:
path: /etc/ipsec.secrets
register: file_exists
when: '"strongswan-ipsec" in ansible_facts.packages'
tags:
- configure_strategy
- file_permissions_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/ipsec.secrets
ansible.builtin.file:
path: /etc/ipsec.secrets
mode: u-xs,g-xws,o-xwt
when:
- '"strongswan-ipsec" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_permissions_etc_ipsec_secrets
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q strongswan-ipsec; then
chmod u-xs,g-xws,o-xwt /etc/ipsec.secrets
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
iptables and ip6tables
[ref]groupA host-based firewall called netfilter is included as
part of the Linux kernel distributed with the system. It is
activated by default. This firewall is controlled by the program
iptables, and the entire capability is frequently referred to by
this name. An analogous program called ip6tables handles filtering
for IPv6.
Unlike TCP Wrappers, which depends on the network server
program to support and respect the rules written, netfilter
filtering occurs at the kernel level, before a program can even
process the data from the network packet. As such, any program on
the system is affected by the rules written.
This section provides basic information about strengthening
the iptables and ip6tables configurations included with the system.
For more complete information that may allow the construction of a
sophisticated ruleset tailored to your environment, please consult
the references at the end of this section. |
| contains 3 rules |
Verify Group Who Owns /etc/iptables Directory
[ref]rule To properly set the group owner of /etc/iptables, run the command:
$ sudo chgrp root /etc/iptables
Rationale:The ownership of the /etc/iptables directory by the root group is important
because this directory hosts iptables configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the iptables configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- directory_groupowner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- '"iptables" in ansible_facts.packages'
- directory_groupowner_etc_iptables_newgroup is undefined
tags:
- configure_strategy
- directory_groupowner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_groupowner_etc_iptables_newgroup variable if root found
ansible.builtin.set_fact:
directory_groupowner_etc_iptables_newgroup: root
when:
- '"iptables" in ansible_facts.packages'
- ansible_facts.getent_group["root"] is defined
tags:
- configure_strategy
- directory_groupowner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/iptables/
ansible.builtin.file:
path: /etc/iptables/
follow: false
state: directory
group: '{{ directory_groupowner_etc_iptables_newgroup }}'
when: '"iptables" in ansible_facts.packages'
tags:
- configure_strategy
- directory_groupowner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q iptables; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
find -P /etc/iptables/ -maxdepth 0 -type d ! -group root -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/iptables Directory
[ref]rule To properly set the owner of /etc/iptables, run the command:
$ sudo chown root /etc/iptables
Rationale:The ownership of the /etc/iptables directory by the root user is important
because this directory hosts iptables configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the iptables configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- directory_owner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_owner_etc_iptables_newown variable if represented by uid
ansible.builtin.set_fact:
directory_owner_etc_iptables_newown: '0'
when: '"iptables" in ansible_facts.packages'
tags:
- configure_strategy
- directory_owner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/iptables/
ansible.builtin.file:
path: /etc/iptables/
follow: false
state: directory
owner: '{{ directory_owner_etc_iptables_newown }}'
when: '"iptables" in ansible_facts.packages'
tags:
- configure_strategy
- directory_owner_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q iptables; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/iptables/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/iptables Directory
[ref]rule To properly set the permissions of /etc/iptables, run the command: $ sudo chmod 0700 /etc/iptables Rationale:Setting correct permissions on the /etc/iptables directory is important
because this directory hosts iptables configuration. Protection of this
directory is critical for system security. Restricting the permissions
ensures exclusive control of the iptables configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- directory_permissions_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/iptables/ file(s)
ansible.builtin.command: 'find -P /etc/iptables/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type
d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: '"iptables" in ansible_facts.packages'
tags:
- configure_strategy
- directory_permissions_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/iptables/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when: '"iptables" in ansible_facts.packages'
tags:
- configure_strategy
- directory_permissions_etc_iptables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q iptables; then
find -H /etc/iptables/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings. |
| contains 15 rules |
Configure IPv6 Settings if Necessary
[ref]groupA major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion. |
| contains 15 rules |
Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_defrtr = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91202-2 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_defrtr_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_ra_defrtr_value: !!str 0
tags:
- always
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
- Find all files that contain net.ipv6.conf.all.accept_ra_defrtr
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra_defrtr\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
- Find all files that set net.ipv6.conf.all.accept_ra_defrtr to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra_defrtr\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_ra_defrtr_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr
replace: '#net.ipv6.conf.all.accept_ra_defrtr'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr
replace: '#net.ipv6.conf.all.accept_ra_defrtr'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
- Ensure sysctl net.ipv6.conf.all.accept_ra_defrtr is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_ra_defrtr
value: '{{ sysctl_net_ipv6_conf_all_accept_ra_defrtr_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_ra_defrtr.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91202-2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.accept_ra_defrtr" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_accept_ra_defrtr.conf'
sysctl_net_ipv6_conf_all_accept_ra_defrtr_value='0'
#
# Set runtime for net.ipv6.conf.all.accept_ra_defrtr
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value"
fi
#
# If net.ipv6.conf.all.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_ra_defrtr = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_defrtr")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91202-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_pinfo = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91203-0 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_pinfo_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_ra_pinfo_value: !!str 0
tags:
- always
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces - Find all files that contain net.ipv6.conf.all.accept_ra_pinfo
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra_pinfo\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces - Find all files that set net.ipv6.conf.all.accept_ra_pinfo to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra_pinfo\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_ra_pinfo_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo
replace: '#net.ipv6.conf.all.accept_ra_pinfo'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo
replace: '#net.ipv6.conf.all.accept_ra_pinfo'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces - Ensure sysctl net.ipv6.conf.all.accept_ra_pinfo is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_ra_pinfo
value: '{{ sysctl_net_ipv6_conf_all_accept_ra_pinfo_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_ra_pinfo.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91203-0
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.accept_ra_pinfo" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_accept_ra_pinfo.conf'
sysctl_net_ipv6_conf_all_accept_ra_pinfo_value='0'
#
# Set runtime for net.ipv6.conf.all.accept_ra_pinfo
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value"
fi
#
# If net.ipv6.conf.all.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_ra_pinfo = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_pinfo")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91203-0"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_rtr_pref = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91204-8 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value: !!str 0
tags:
- always
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces - Find all files that contain net.ipv6.conf.all.accept_ra_rtr_pref
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra_rtr_pref\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces - Find all files that set net.ipv6.conf.all.accept_ra_rtr_pref to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra_rtr_pref\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref
replace: '#net.ipv6.conf.all.accept_ra_rtr_pref'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref
replace: '#net.ipv6.conf.all.accept_ra_rtr_pref'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces - Ensure sysctl net.ipv6.conf.all.accept_ra_rtr_pref is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_ra_rtr_pref
value: '{{ sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_ra_rtr_pref.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91204-8
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.accept_ra_rtr_pref" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_accept_ra_rtr_pref.conf'
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value='0'
#
# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value"
fi
#
# If net.ipv6.conf.all.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_ra_rtr_pref = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_rtr_pref")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91204-8"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Accepting ICMP Redirects for All IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 Rationale:An illicit ICMP redirect message could result in a man-in-the-middle attack. Identifiers:
CCE-85708-6 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SLES-15-040341, 3.3.2, R13, SLES-15-450450075, SV-235020r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_redirects_value: !!str 0
tags:
- always
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files
that contain net.ipv6.conf.all.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files
that set net.ipv6.conf.all.accept_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any
occurrences of net.ipv6.conf.all.accept_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
replace: '#net.ipv6.conf.all.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any
occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
replace: '#net.ipv6.conf.all.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_redirects
is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_redirects
value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85708-6
- DISA-STIG-SLES-15-040341
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_accept_redirects.conf'
sysctl_net_ipv6_conf_all_accept_redirects_value='0'
#
# Set runtime for net.ipv6.conf.all.accept_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value"
fi
#
# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85708-6"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 Rationale:Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. Identifiers:
CCE-85649-2 References:
1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040310, 3.3.1, R13, SLES-15-450450120, SV-235015r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_source_route_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
- Find all files that contain net.ipv6.conf.all.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
- Find all files that set net.ipv6.conf.all.accept_source_route to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.all.accept_source_route from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
replace: '#net.ipv6.conf.all.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
replace: '#net.ipv6.conf.all.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
- Ensure sysctl net.ipv6.conf.all.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_source_route
value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_source_route.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85649-2
- DISA-STIG-SLES-15-040310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_accept_source_route.conf'
sysctl_net_ipv6_conf_all_accept_source_route_value='0'
#
# Set runtime for net.ipv6.conf.all.accept_source_route
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"
fi
#
# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85649-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.max_addresses = 1 Rationale:The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. Identifiers:
CCE-91206-3 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_all_max_addresses_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_max_addresses_value: !!str 1
tags:
- always
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
- Find all files that contain net.ipv6.conf.all.max_addresses
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.max_addresses\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
- Find all files that set net.ipv6.conf.all.max_addresses to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.max_addresses\s*=\s*{{ sysctl_net_ipv6_conf_all_max_addresses_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.all.max_addresses from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.max_addresses
replace: '#net.ipv6.conf.all.max_addresses'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.max_addresses
replace: '#net.ipv6.conf.all.max_addresses'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
- Ensure sysctl net.ipv6.conf.all.max_addresses is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.max_addresses
value: '{{ sysctl_net_ipv6_conf_all_max_addresses_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_max_addresses.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91206-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_max_addresses
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.max_addresses" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_max_addresses.conf'
sysctl_net_ipv6_conf_all_max_addresses_value='1'
#
# Set runtime for net.ipv6.conf.all.max_addresses
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value"
fi
#
# If net.ipv6.conf.all.max_addresses present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.max_addresses = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.max_addresses")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_max_addresses_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.max_addresses\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91206-3"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Denying Router Solicitations on All IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.router_solicitations = 0 Rationale:To prevent discovery of the system by other systems, router solicitation requests should be denied. Identifiers:
CCE-91207-1 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_all_router_solicitations_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_router_solicitations_value: !!str 0
tags:
- always
- name: Configure Denying Router Solicitations on All IPv6 Interfaces - Set fact for
sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces - Find all files
that contain net.ipv6.conf.all.router_solicitations
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.router_solicitations\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces - Find all files
that set net.ipv6.conf.all.router_solicitations to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.router_solicitations\s*=\s*{{ sysctl_net_ipv6_conf_all_router_solicitations_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces - Comment out
any occurrences of net.ipv6.conf.all.router_solicitations from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.router_solicitations
replace: '#net.ipv6.conf.all.router_solicitations'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces - Comment out
any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.router_solicitations
replace: '#net.ipv6.conf.all.router_solicitations'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces - Ensure sysctl
net.ipv6.conf.all.router_solicitations is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.router_solicitations
value: '{{ sysctl_net_ipv6_conf_all_router_solicitations_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_router_solicitations.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91207-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_all_router_solicitations
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.all.router_solicitations" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_all_router_solicitations.conf'
sysctl_net_ipv6_conf_all_router_solicitations_value='0'
#
# Set runtime for net.ipv6.conf.all.router_solicitations
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value"
fi
#
# If net.ipv6.conf.all.router_solicitations present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.router_solicitations = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.router_solicitations")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_router_solicitations_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.router_solicitations\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91207-1"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_defrtr = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91208-9 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_defrtr_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_ra_defrtr_value: !!str 0
tags:
- always
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
By Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
By Default - Find all files that contain net.ipv6.conf.default.accept_ra_defrtr
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra_defrtr\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
By Default - Find all files that set net.ipv6.conf.default.accept_ra_defrtr to
correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra_defrtr\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_ra_defrtr_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
By Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra_defrtr
replace: '#net.ipv6.conf.default.accept_ra_defrtr'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
By Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra_defrtr
replace: '#net.ipv6.conf.default.accept_ra_defrtr'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
- name: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
By Default - Ensure sysctl net.ipv6.conf.default.accept_ra_defrtr is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_ra_defrtr
value: '{{ sysctl_net_ipv6_conf_default_accept_ra_defrtr_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_ra_defrtr.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91208-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.accept_ra_defrtr" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_accept_ra_defrtr.conf'
sysctl_net_ipv6_conf_default_accept_ra_defrtr_value='0'
#
# Set runtime for net.ipv6.conf.default.accept_ra_defrtr
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value"
fi
#
# If net.ipv6.conf.default.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_ra_defrtr = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_defrtr")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91208-9"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_pinfo = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91209-7 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_pinfo_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_ra_pinfo_value: !!str 0
tags:
- always
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces By Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces By Default - Find all files that contain net.ipv6.conf.default.accept_ra_pinfo
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra_pinfo\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces By Default - Find all files that set net.ipv6.conf.default.accept_ra_pinfo
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra_pinfo\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_ra_pinfo_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces By Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra_pinfo
replace: '#net.ipv6.conf.default.accept_ra_pinfo'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces By Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra_pinfo
replace: '#net.ipv6.conf.default.accept_ra_pinfo'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
- name: Configure Accepting Prefix Information in Router Advertisements on All IPv6
Interfaces By Default - Ensure sysctl net.ipv6.conf.default.accept_ra_pinfo is
set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_ra_pinfo
value: '{{ sysctl_net_ipv6_conf_default_accept_ra_pinfo_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_ra_pinfo.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91209-7
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.accept_ra_pinfo" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_accept_ra_pinfo.conf'
sysctl_net_ipv6_conf_default_accept_ra_pinfo_value='0'
#
# Set runtime for net.ipv6.conf.default.accept_ra_pinfo
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value"
fi
#
# If net.ipv6.conf.default.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_ra_pinfo = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_pinfo")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91209-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_rtr_pref = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91210-5 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value: !!str 0
tags:
- always
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces By Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces By Default - Find all files that contain net.ipv6.conf.default.accept_ra_rtr_pref
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra_rtr_pref\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces By Default - Find all files that set net.ipv6.conf.default.accept_ra_rtr_pref
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra_rtr_pref\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces By Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra_rtr_pref
replace: '#net.ipv6.conf.default.accept_ra_rtr_pref'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces By Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra_rtr_pref
replace: '#net.ipv6.conf.default.accept_ra_rtr_pref'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
- name: Configure Accepting Router Preference in Router Advertisements on All IPv6
Interfaces By Default - Ensure sysctl net.ipv6.conf.default.accept_ra_rtr_pref
is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_ra_rtr_pref
value: '{{ sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_ra_rtr_pref.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91210-5
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.accept_ra_rtr_pref" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_accept_ra_rtr_pref.conf'
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value='0'
#
# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value"
fi
#
# If net.ipv6.conf.default.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_ra_rtr_pref = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_rtr_pref")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91210-5"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 Rationale:An illicit ICMP redirect message could result in a man-in-the-middle attack. Identifiers:
CCE-85722-7 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SLES-15-040350, 3.3.2, R13, SLES-15-450450075, SV-235021r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_redirects_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
- Find all files that contain net.ipv6.conf.default.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
- Find all files that set net.ipv6.conf.default.accept_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.default.accept_redirects from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_redirects
replace: '#net.ipv6.conf.default.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
- Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_redirects
replace: '#net.ipv6.conf.default.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
- Ensure sysctl net.ipv6.conf.default.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_redirects
value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85722-7
- DISA-STIG-SLES-15-040350
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_accept_redirects.conf'
sysctl_net_ipv6_conf_default_accept_redirects_value='0'
#
# Set runtime for net.ipv6.conf.default.accept_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value"
fi
#
# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85722-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 Rationale:Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. Identifiers:
CCE-85653-4 References:
1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, SLES-15-040321, 3.3.1, R13, SLES-15-450450120, 1.4.2, 1.4, SV-235017r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_source_route_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Find all files that contain net.ipv6.conf.default.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Find all files that set net.ipv6.conf.default.accept_source_route
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Comment out any occurrences of net.ipv6.conf.default.accept_source_route
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_source_route
replace: '#net.ipv6.conf.default.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Comment out any occurrences of net.ipv6.conf.default.accept_source_route
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_source_route
replace: '#net.ipv6.conf.default.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Ensure sysctl net.ipv6.conf.default.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_source_route
value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_source_route.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85653-4
- DISA-STIG-SLES-15-040321
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_accept_source_route.conf'
sysctl_net_ipv6_conf_default_accept_source_route_value='0'
#
# Set runtime for net.ipv6.conf.default.accept_source_route
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"
fi
#
# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85653-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Auto Configuration on All IPv6 Interfaces By Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.autoconf = 0 Rationale:An illicit router advertisement message could result in a man-in-the-middle attack. Identifiers:
CCE-91211-3 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_default_autoconf_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_autoconf_value: !!str 0
tags:
- always
- name: Configure Auto Configuration on All IPv6 Interfaces By Default - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
- name: Configure Auto Configuration on All IPv6 Interfaces By Default - Find all
files that contain net.ipv6.conf.default.autoconf
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.autoconf\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
- name: Configure Auto Configuration on All IPv6 Interfaces By Default - Find all
files that set net.ipv6.conf.default.autoconf to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.autoconf\s*=\s*{{ sysctl_net_ipv6_conf_default_autoconf_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
- name: Configure Auto Configuration on All IPv6 Interfaces By Default - Comment out
any occurrences of net.ipv6.conf.default.autoconf from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.autoconf
replace: '#net.ipv6.conf.default.autoconf'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
- name: Configure Auto Configuration on All IPv6 Interfaces By Default - Comment out
any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.autoconf
replace: '#net.ipv6.conf.default.autoconf'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
- name: Configure Auto Configuration on All IPv6 Interfaces By Default - Ensure sysctl
net.ipv6.conf.default.autoconf is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.autoconf
value: '{{ sysctl_net_ipv6_conf_default_autoconf_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_autoconf.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91211-3
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_autoconf
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.autoconf" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_autoconf.conf'
sysctl_net_ipv6_conf_default_autoconf_value='0'
#
# Set runtime for net.ipv6.conf.default.autoconf
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value"
fi
#
# If net.ipv6.conf.default.autoconf present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.autoconf = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.autoconf")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_autoconf_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.autoconf\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91211-3"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.max_addresses = 1 Rationale:The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. Identifiers:
CCE-91212-1 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_default_max_addresses_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_max_addresses_value: !!str 1
tags:
- always
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
By Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
By Default - Find all files that contain net.ipv6.conf.default.max_addresses
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.max_addresses\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
By Default - Find all files that set net.ipv6.conf.default.max_addresses to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.max_addresses\s*=\s*{{ sysctl_net_ipv6_conf_default_max_addresses_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
By Default - Comment out any occurrences of net.ipv6.conf.default.max_addresses
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.max_addresses
replace: '#net.ipv6.conf.default.max_addresses'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
By Default - Comment out any occurrences of net.ipv6.conf.default.max_addresses
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.max_addresses
replace: '#net.ipv6.conf.default.max_addresses'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
- name: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
By Default - Ensure sysctl net.ipv6.conf.default.max_addresses is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.max_addresses
value: '{{ sysctl_net_ipv6_conf_default_max_addresses_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_max_addresses.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91212-1
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_max_addresses
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.max_addresses" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_max_addresses.conf'
sysctl_net_ipv6_conf_default_max_addresses_value='1'
#
# Set runtime for net.ipv6.conf.default.max_addresses
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value"
fi
#
# If net.ipv6.conf.default.max_addresses present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.max_addresses = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.max_addresses")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_max_addresses_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.max_addresses\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91212-1"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Denying Router Solicitations on All IPv6 Interfaces By Default
[ref]ruleTo set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.router_solicitations = 0 Rationale:To prevent discovery of the system by other systems, router solicitation requests should be denied. Identifiers:
CCE-91213-9 References:
R13
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
- name: XCCDF Value sysctl_net_ipv6_conf_default_router_solicitations_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_router_solicitations_value: !!str 0
tags:
- always
- name: Configure Denying Router Solicitations on All IPv6 Interfaces By Default -
Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces By Default -
Find all files that contain net.ipv6.conf.default.router_solicitations
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.router_solicitations\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces By Default -
Find all files that set net.ipv6.conf.default.router_solicitations to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.router_solicitations\s*=\s*{{ sysctl_net_ipv6_conf_default_router_solicitations_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces By Default -
Comment out any occurrences of net.ipv6.conf.default.router_solicitations from
config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.router_solicitations
replace: '#net.ipv6.conf.default.router_solicitations'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces By Default -
Comment out any occurrences of net.ipv6.conf.default.router_solicitations from
/etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.router_solicitations
replace: '#net.ipv6.conf.default.router_solicitations'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
- name: Configure Denying Router Solicitations on All IPv6 Interfaces By Default -
Ensure sysctl net.ipv6.conf.default.router_solicitations is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.router_solicitations
value: '{{ sysctl_net_ipv6_conf_default_router_solicitations_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_router_solicitations.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91213-9
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv6_conf_default_router_solicitations
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.router_solicitations" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_router_solicitations.conf'
sysctl_net_ipv6_conf_default_router_solicitations_value='0'
#
# Set runtime for net.ipv6.conf.default.router_solicitations
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value"
fi
#
# If net.ipv6.conf.default.router_solicitations present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.router_solicitations = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.router_solicitations")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_router_solicitations_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.router_solicitations\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91213-9"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Kernel Parameters Which Affect Networking
[ref]groupThe sysctl utility is used to set
parameters which affect the operation of the Linux kernel. Kernel parameters
which affect networking and have security implications are described here. |
| contains 21 rules |
Network Related Kernel Runtime Parameters for Hosts and Routers
[ref]groupCertain kernel parameters should be set for systems which are
acting as either hosts or routers to improve the system's ability defend
against certain types of IPv4 protocol attacks. |
| contains 18 rules |
Disable Accepting Packets Routed Between Local Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.accept_local kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_local=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_local = 0 Rationale:Configure net.ipv4.conf.all.accept_local=0 to consider as invalid the packets
received from outside whose source is the 127.0.0.0/8 address block.
In combination with suitable routing, this can be used to direct packets between two
local interfaces over the wire and have them accepted properly. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
- name: Disable Accepting Packets Routed Between Local Interfaces - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
- name: Disable Accepting Packets Routed Between Local Interfaces - Find all files
that contain net.ipv4.conf.all.accept_local
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_local\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
- name: Disable Accepting Packets Routed Between Local Interfaces - Find all files
that set net.ipv4.conf.all.accept_local to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_local\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
- name: Disable Accepting Packets Routed Between Local Interfaces - Comment out any
occurrences of net.ipv4.conf.all.accept_local from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_local
replace: '#net.ipv4.conf.all.accept_local'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
- name: Disable Accepting Packets Routed Between Local Interfaces - Comment out any
occurrences of net.ipv4.conf.all.accept_local from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_local
replace: '#net.ipv4.conf.all.accept_local'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
- name: Disable Accepting Packets Routed Between Local Interfaces - Ensure sysctl
net.ipv4.conf.all.accept_local is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_local
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_accept_local.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_local
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.accept_local from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_local.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.accept_local" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_accept_local.conf'
#
# Set runtime for net.ipv4.conf.all.accept_local
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_local="0"
fi
#
# If net.ipv4.conf.all.accept_local present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.accept_local = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_local")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_local\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_local\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Accepting ICMP Redirects for All IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 Rationale:ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required." Identifiers:
CCE-85651-8 References:
1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SLES-15-040330, 3.3.2, R12, SLES-15-450450075, SV-235018r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_accept_redirects_value: !!str 0
tags:
- always
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files
that contain net.ipv4.conf.all.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files
that set net.ipv4.conf.all.accept_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*{{ sysctl_net_ipv4_conf_all_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any
occurrences of net.ipv4.conf.all.accept_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
replace: '#net.ipv4.conf.all.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any
occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
replace: '#net.ipv4.conf.all.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_redirects
is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_redirects
value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_accept_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85651-8
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040330
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_accept_redirects.conf'
sysctl_net_ipv4_conf_all_accept_redirects_value='0'
#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"
fi
#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85651-8"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 Rationale:Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. Identifiers:
CCE-85648-4 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040300, 3.3.1, R12, SLES-15-450450120, SV-235014r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_accept_source_route_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.accept_source_route to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*{{ sysctl_net_ipv4_conf_all_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.accept_source_route from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
replace: '#net.ipv4.conf.all.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
replace: '#net.ipv4.conf.all.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_source_route
value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_accept_source_route.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85648-4
- DISA-STIG-SLES-15-040300
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_accept_source_route.conf'
sysctl_net_ipv4_conf_all_accept_source_route_value='0'
#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"
fi
#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85648-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure ARP filtering for All IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_filter = 0 Warning:
This behaviour may cause problems to system on a high availability or load balancing configuration. Prevents the Linux Kernel from handling the ARP table globally.
By default, the kernel may respond to an ARP request from a certain interface with information
from another interface. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_filter_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_arp_filter_value: !!str 0
tags:
- always
- name: Configure ARP filtering for All IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
- name: Configure ARP filtering for All IPv4 Interfaces - Find all files that contain
net.ipv4.conf.all.arp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.arp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
- name: Configure ARP filtering for All IPv4 Interfaces - Find all files that set
net.ipv4.conf.all.arp_filter to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.arp_filter\s*=\s*{{ sysctl_net_ipv4_conf_all_arp_filter_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
- name: Configure ARP filtering for All IPv4 Interfaces - Comment out any occurrences
of net.ipv4.conf.all.arp_filter from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.arp_filter
replace: '#net.ipv4.conf.all.arp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
- name: Configure ARP filtering for All IPv4 Interfaces - Comment out any occurrences
of net.ipv4.conf.all.arp_filter from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.arp_filter
replace: '#net.ipv4.conf.all.arp_filter'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
- name: Configure ARP filtering for All IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.arp_filter
is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.arp_filter
value: '{{ sysctl_net_ipv4_conf_all_arp_filter_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_arp_filter.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92609-7
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_filter
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.arp_filter" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_arp_filter.conf'
sysctl_net_ipv4_conf_all_arp_filter_value='0'
#
# Set runtime for net.ipv4.conf.all.arp_filter
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value"
fi
#
# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.arp_filter = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_filter")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_filter_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_filter\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-92609-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Response Mode of ARP Requests for All IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_ignore = 2 Warning:
The ARP response mode may impact behaviour of workloads and firewalls on the system. Avoids ARP Flux on system that have more than one interface on the same subnet. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_ignore_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_arp_ignore_value: !!str 2
tags:
- always
- name: Configure Response Mode of ARP Requests for All IPv4 Interfaces - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
- name: Configure Response Mode of ARP Requests for All IPv4 Interfaces - Find all
files that contain net.ipv4.conf.all.arp_ignore
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.arp_ignore\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
- name: Configure Response Mode of ARP Requests for All IPv4 Interfaces - Find all
files that set net.ipv4.conf.all.arp_ignore to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.arp_ignore\s*=\s*{{ sysctl_net_ipv4_conf_all_arp_ignore_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
- name: Configure Response Mode of ARP Requests for All IPv4 Interfaces - Comment
out any occurrences of net.ipv4.conf.all.arp_ignore from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.arp_ignore
replace: '#net.ipv4.conf.all.arp_ignore'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
- name: Configure Response Mode of ARP Requests for All IPv4 Interfaces - Comment
out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.arp_ignore
replace: '#net.ipv4.conf.all.arp_ignore'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
- name: Configure Response Mode of ARP Requests for All IPv4 Interfaces - Ensure sysctl
net.ipv4.conf.all.arp_ignore is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.arp_ignore
value: '{{ sysctl_net_ipv4_conf_all_arp_ignore_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_arp_ignore.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92610-5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_arp_ignore
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.arp_ignore" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_arp_ignore.conf'
sysctl_net_ipv4_conf_all_arp_ignore_value='2'
#
# Set runtime for net.ipv4.conf.all.arp_ignore
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value"
fi
#
# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.arp_ignore = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_ignore")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_ignore_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_ignore\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_ignore\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-92610-5"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.route_localnet = 0 Rationale:Refuse the routing of packets whose source or destination address is the local loopback.
This prohibits the use of network 127/8 for local routing purposes.
Enabling route_localnet can expose applications listening on localhost to external traffic. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
- name: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
- name: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.route_localnet
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.route_localnet\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
- name: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.route_localnet to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.route_localnet\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
- name: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.route_localnet from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.route_localnet
replace: '#net.ipv4.conf.all.route_localnet'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
- name: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.route_localnet
replace: '#net.ipv4.conf.all.route_localnet'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
- name: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.route_localnet is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.all.route_localnet
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_route_localnet.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92611-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_route_localnet
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.route_localnet" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_route_localnet.conf'
#
# Set runtime for net.ipv4.conf.all.route_localnet
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0"
fi
#
# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.route_localnet = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.route_localnet")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.route_localnet\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.route_localnet\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-92611-3"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 Rationale:Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. Identifiers:
CCE-91218-8 References:
1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.7, R12, 1.4.3, 1.4
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_rp_filter_value: !!str 1
tags:
- always
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.rp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.rp_filter to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*{{ sysctl_net_ipv4_conf_all_rp_filter_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.rp_filter
replace: '#net.ipv4.conf.all.rp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.rp_filter
replace: '#net.ipv4.conf.all.rp_filter'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.rp_filter is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.rp_filter
value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_rp_filter.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91218-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_rp_filter.conf'
sysctl_net_ipv4_conf_all_rp_filter_value='1'
#
# Set runtime for net.ipv4.conf.all.rp_filter
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"
fi
#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91218-8"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 Rationale:Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. Identifiers:
CCE-91220-4 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.3, R12, SLES-15-450450090, 1.4.3, 1.4
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_secure_redirects_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.secure_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.secure_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*{{ sysctl_net_ipv4_conf_all_secure_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
replace: '#net.ipv4.conf.all.secure_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
replace: '#net.ipv4.conf.all.secure_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.secure_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.secure_redirects
value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_secure_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91220-4
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_secure_redirects.conf'
sysctl_net_ipv4_conf_all_secure_redirects_value='0'
#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value"
fi
#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91220-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.shared_media=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.shared_media = 0 Rationale:This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it.
If shared_media is enabled for an interface secure_redirects will be enabled too. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
- name: XCCDF Value sysctl_net_ipv4_conf_all_shared_media_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_shared_media_value: !!str 0
tags:
- always
- name: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
- name: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.shared_media
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.shared_media\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
- name: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.shared_media to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.shared_media\s*=\s*{{ sysctl_net_ipv4_conf_all_shared_media_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
- name: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.shared_media from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.shared_media
replace: '#net.ipv4.conf.all.shared_media'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
- name: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.shared_media
replace: '#net.ipv4.conf.all.shared_media'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
- name: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.shared_media is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.shared_media
value: '{{ sysctl_net_ipv4_conf_all_shared_media_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_shared_media.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_shared_media
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.shared_media" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_shared_media.conf'
sysctl_net_ipv4_conf_all_shared_media_value='0'
#
# Set runtime for net.ipv4.conf.all.shared_media
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value"
fi
#
# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.shared_media = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.shared_media")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_shared_media_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.shared_media\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 Rationale:ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required. Identifiers:
CCE-85652-6 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, SLES-15-040340, 3.3.3, R12, SLES-15-450450075, 1.4.3, 1.4, SV-235019r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_accept_redirects_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
- Find all files that contain net.ipv4.conf.default.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
- Find all files that set net.ipv4.conf.default.accept_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*{{ sysctl_net_ipv4_conf_default_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.default.accept_redirects from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
replace: '#net.ipv4.conf.default.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
replace: '#net.ipv4.conf.default.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.default.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_redirects
value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_accept_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85652-6
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040340
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_default_accept_redirects.conf'
sysctl_net_ipv4_conf_default_accept_redirects_value='0'
#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"
fi
#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85652-6"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
[ref]ruleTo set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 Rationale:Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router. Identifiers:
CCE-85650-0 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040320, 3.3.1, R12, SLES-15-450450120, SV-235016r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_accept_source_route_value: !!str 0
tags:
- always
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Find all files that contain net.ipv4.conf.default.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Find all files that set net.ipv4.conf.default.accept_source_route
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*{{ sysctl_net_ipv4_conf_default_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.accept_source_route
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_source_route
replace: '#net.ipv4.conf.default.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.accept_source_route
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_source_route
replace: '#net.ipv4.conf.default.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Ensure sysctl net.ipv4.conf.default.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_source_route
value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_accept_source_route.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85650-0
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040320
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_default_accept_source_route.conf'
sysctl_net_ipv4_conf_default_accept_source_route_value='0'
#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"
fi
#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85650-0"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
[ref]ruleTo set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 Rationale:Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. Identifiers:
CCE-91219-6 References:
1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.7, R12
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_rp_filter_value: !!str 1
tags:
- always
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Find all files that contain net.ipv4.conf.default.rp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Find all files that set net.ipv4.conf.default.rp_filter to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*{{ sysctl_net_ipv4_conf_default_rp_filter_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.rp_filter from
config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.rp_filter
replace: '#net.ipv4.conf.default.rp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.rp_filter from
/etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.rp_filter
replace: '#net.ipv4.conf.default.rp_filter'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Ensure sysctl net.ipv4.conf.default.rp_filter is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.rp_filter
value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_rp_filter.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91219-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_default_rp_filter.conf'
sysctl_net_ipv4_conf_default_rp_filter_value='1'
#
# Set runtime for net.ipv4.conf.default.rp_filter
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value"
fi
#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91219-6"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Kernel Parameter for Accepting Secure Redirects By Default
[ref]ruleTo set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 Rationale:Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. Identifiers:
CCE-91221-2 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.2, R12, SLES-15-450450090
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_secure_redirects_value: !!str 0
tags:
- always
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Set
fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find
all files that contain net.ipv4.conf.default.secure_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find
all files that set net.ipv4.conf.default.secure_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*{{ sysctl_net_ipv4_conf_default_secure_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment
out any occurrences of net.ipv4.conf.default.secure_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
replace: '#net.ipv4.conf.default.secure_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment
out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
replace: '#net.ipv4.conf.default.secure_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Ensure
sysctl net.ipv4.conf.default.secure_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.secure_redirects
value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_secure_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91221-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_default_secure_redirects.conf'
sysctl_net_ipv4_conf_default_secure_redirects_value='0'
#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value"
fi
#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91221-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure Sending and Accepting Shared Media Redirects by Default
[ref]ruleTo set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.shared_media=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.shared_media = 0 Rationale:This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it.
If shared_media is enabled for an interface secure_redirects will be enabled too. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
- name: XCCDF Value sysctl_net_ipv4_conf_default_shared_media_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_shared_media_value: !!str 0
tags:
- always
- name: Configure Sending and Accepting Shared Media Redirects by Default - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
- name: Configure Sending and Accepting Shared Media Redirects by Default - Find all
files that contain net.ipv4.conf.default.shared_media
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.shared_media\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
- name: Configure Sending and Accepting Shared Media Redirects by Default - Find all
files that set net.ipv4.conf.default.shared_media to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.shared_media\s*=\s*{{ sysctl_net_ipv4_conf_default_shared_media_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
- name: Configure Sending and Accepting Shared Media Redirects by Default - Comment
out any occurrences of net.ipv4.conf.default.shared_media from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.shared_media
replace: '#net.ipv4.conf.default.shared_media'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
- name: Configure Sending and Accepting Shared Media Redirects by Default - Comment
out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.shared_media
replace: '#net.ipv4.conf.default.shared_media'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
- name: Configure Sending and Accepting Shared Media Redirects by Default - Ensure
sysctl net.ipv4.conf.default.shared_media is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.shared_media
value: '{{ sysctl_net_ipv4_conf_default_shared_media_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_shared_media.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_shared_media
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.shared_media" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_default_shared_media.conf'
sysctl_net_ipv4_conf_default_shared_media_value='0'
#
# Set runtime for net.ipv4.conf.default.shared_media
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value"
fi
#
# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.shared_media = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.shared_media")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_shared_media_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.shared_media\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 Rationale:Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged. Identifiers:
CCE-91224-6 References:
1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.6, R12, SLES-15-450450045, 1.4.2, 1.4
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable
set_fact:
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str 1
tags:
- always
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Find all files that contain net.ipv4.icmp_ignore_bogus_error_responses
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Find all files that set net.ipv4.icmp_ignore_bogus_error_responses to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from
config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from
/etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_icmp_ignore_bogus_error_responses.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91224-6
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_icmp_ignore_bogus_error_responses.conf'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='1'
#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"
fi
#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91224-6"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Kernel Parameter to Increase Local Port Range
[ref]ruleTo set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535 Rationale:This setting defines the local port range that is used by TCP and UDP to
choose the local port. The first number is the first, the second the last
local port number. Identifiers:
CCE-91225-3 References:
R12
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
- name: Set Kernel Parameter to Increase Local Port Range - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
- name: Set Kernel Parameter to Increase Local Port Range - Find all files that contain
net.ipv4.ip_local_port_range
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.ip_local_port_range\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
- name: Set Kernel Parameter to Increase Local Port Range - Find all files that set
net.ipv4.ip_local_port_range to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.ip_local_port_range\s*=\s*32768 65535$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
- name: Set Kernel Parameter to Increase Local Port Range - Comment out any occurrences
of net.ipv4.ip_local_port_range from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.ip_local_port_range
replace: '#net.ipv4.ip_local_port_range'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
- name: Set Kernel Parameter to Increase Local Port Range - Comment out any occurrences
of net.ipv4.ip_local_port_range from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.ip_local_port_range
replace: '#net.ipv4.ip_local_port_range'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
- name: Set Kernel Parameter to Increase Local Port Range - Ensure sysctl net.ipv4.ip_local_port_range
is set to 32768 65535
ansible.posix.sysctl:
name: net.ipv4.ip_local_port_range
value: 32768 65535
sysctl_file: /etc/sysctl.d/net_ipv4_ip_local_port_range.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91225-3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_local_port_range
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.ip_local_port_range" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_ip_local_port_range.conf'
#
# Set runtime for net.ipv4.ip_local_port_range
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535"
fi
#
# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535"
# else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_local_port_range")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "32768 65535"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_local_port_range\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_local_port_range\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91225-3"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_rfc1337 = 1 Rationale:Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is
received in TIME_WAIT state, we close the socket immediately without waiting
for the end of the TIME_WAIT period. Identifiers:
CCE-91223-8 References:
R12
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
- name: XCCDF Value sysctl_net_ipv4_tcp_rfc1337_value # promote to variable
set_fact:
sysctl_net_ipv4_tcp_rfc1337_value: !!str 1
tags:
- always
- name: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
- name: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - Find all
files that contain net.ipv4.tcp_rfc1337
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.tcp_rfc1337\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
- name: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - Find all
files that set net.ipv4.tcp_rfc1337 to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.tcp_rfc1337\s*=\s*{{ sysctl_net_ipv4_tcp_rfc1337_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
- name: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - Comment out
any occurrences of net.ipv4.tcp_rfc1337 from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.tcp_rfc1337
replace: '#net.ipv4.tcp_rfc1337'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
- name: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - Comment out
any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.tcp_rfc1337
replace: '#net.ipv4.tcp_rfc1337'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
- name: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - Ensure sysctl
net.ipv4.tcp_rfc1337 is set
ansible.posix.sysctl:
name: net.ipv4.tcp_rfc1337
value: '{{ sysctl_net_ipv4_tcp_rfc1337_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_tcp_rfc1337.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91223-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_rfc1337
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.tcp_rfc1337" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_tcp_rfc1337.conf'
sysctl_net_ipv4_tcp_rfc1337_value='1'
#
# Set runtime for net.ipv4.tcp_rfc1337
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.tcp_rfc1337="$sysctl_net_ipv4_tcp_rfc1337_value"
fi
#
# If net.ipv4.tcp_rfc1337 present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.tcp_rfc1337 = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_rfc1337")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_rfc1337_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_rfc1337\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_rfc1337\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91223-8"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 Rationale:A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests. Identifiers:
CCE-83283-2 References:
1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.1, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071, SLES-15-010310, 3.3.8, R12, SLES-15-450450150, 1.4.3, 1.4, SV-234829r958528_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable
set_fact:
sysctl_net_ipv4_tcp_syncookies_value: !!str 1
tags:
- always
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Set
fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find
all files that contain net.ipv4.tcp_syncookies
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.tcp_syncookies\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find
all files that set net.ipv4.tcp_syncookies to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.tcp_syncookies\s*=\s*{{ sysctl_net_ipv4_tcp_syncookies_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment
out any occurrences of net.ipv4.tcp_syncookies from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.tcp_syncookies
replace: '#net.ipv4.tcp_syncookies'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment
out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.tcp_syncookies
replace: '#net.ipv4.tcp_syncookies'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Ensure
sysctl net.ipv4.tcp_syncookies is set
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_tcp_syncookies.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83283-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-010310
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.tcp_syncookies" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_tcp_syncookies.conf'
sysctl_net_ipv4_tcp_syncookies_value='1'
#
# Set runtime for net.ipv4.tcp_syncookies
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value"
fi
#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-83283-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Network Parameters for Hosts Only
[ref]groupIf the system is not going to be used as a router, then setting certain
kernel parameters ensure that the host will not perform routing
of network traffic. |
| contains 3 rules |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 Rationale:ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. Identifiers:
CCE-85655-9 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040370, 3.2.2, R12, SLES-15-450450030, 1.4.5, 1.4, SV-235023r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.send_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.send_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.send_redirects from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.send_redirects
replace: '#net.ipv4.conf.all.send_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.send_redirects
replace: '#net.ipv4.conf.all.send_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.all.send_redirects
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_send_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85655-9
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040370
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_all_send_redirects.conf'
#
# Set runtime for net.ipv4.conf.all.send_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"
fi
#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85655-9"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
[ref]ruleTo set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 Rationale:ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. Identifiers:
CCE-85654-2 References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SLES-15-040360, 3.2.2, R12, SLES-15-450450030, 1.4.5, 1.4, SV-235022r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Find all files that contain net.ipv4.conf.default.send_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Find all files that set net.ipv4.conf.default.send_redirects to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.send_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.send_redirects
replace: '#net.ipv4.conf.default.send_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.send_redirects
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.send_redirects
replace: '#net.ipv4.conf.default.send_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.default.send_redirects
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_send_redirects.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85654-2
- CJIS-5.10.1.1
- DISA-STIG-SLES-15-040360
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_conf_default_send_redirects.conf'
#
# Set runtime for net.ipv4.conf.default.send_redirects
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"
fi
#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85654-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
[ref]ruleTo set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 Warning:
Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding. Routing protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network. Identifiers:
CCE-85709-4 References:
1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.1, Req-1.3.2, SRG-OS-000480-GPOS-00227, SLES-15-040380, 3.2.1, R12, SLES-15-450450015, 1.4.3, 1.4, SV-235024r991589_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Set fact for
sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files
that contain net.ipv4.ip_forward
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.ip_forward\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files
that set net.ipv4.ip_forward to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.ip_forward\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment out
any occurrences of net.ipv4.ip_forward from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.ip_forward
replace: '#net.ipv4.ip_forward'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment out
any occurrences of net.ipv4.ip_forward from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.ip_forward
replace: '#net.ipv4.ip_forward'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Ensure sysctl
net.ipv4.ip_forward is set to 0
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_ip_forward.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85709-4
- DISA-STIG-SLES-15-040380
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.ip_forward" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv4_ip_forward.conf'
#
# Set runtime for net.ipv4.ip_forward
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.ip_forward="0"
fi
#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85709-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
nftables
[ref]groupIf firewalld or iptables are being used in your environment, please follow the guidance in their
respective section and pass-over the guidance in this section.
nftables is a subsystem of the Linux kernel providing filtering and classification of network
packets/datagrams/frames and is the successor to iptables. The biggest change with the
successor nftables is its simplicity. With iptables, we have to configure every single rule and
use the syntax which can be compared with normal commands. With nftables, the simpler
syntax, much like BPF (Berkely Packet Filter) means shorter lines and less repetition.
Support for nftables should also be compiled into the kernel, together with the related
nftables modules.
It is available in Linux kernels >= 3.13. Please ensure that your kernel
supports nftables before choosing this option.
|
| contains 3 rules |
Verify Group Who Owns /etc/nftables Directory
[ref]rule To properly set the group owner of /etc/nftables, run the command:
$ sudo chgrp root /etc/nftables
Rationale:The ownership of the /etc/nftables directory by the root group is important
because this directory hosts nftables configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the nftables configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92500-8
- configure_strategy
- directory_groupowner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- '"nftables" in ansible_facts.packages'
- directory_groupowner_etc_nftables_newgroup is undefined
tags:
- CCE-92500-8
- configure_strategy
- directory_groupowner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_groupowner_etc_nftables_newgroup variable if root found
ansible.builtin.set_fact:
directory_groupowner_etc_nftables_newgroup: root
when:
- '"nftables" in ansible_facts.packages'
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92500-8
- configure_strategy
- directory_groupowner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/nftables/
ansible.builtin.file:
path: /etc/nftables/
follow: false
state: directory
group: '{{ directory_groupowner_etc_nftables_newgroup }}'
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-92500-8
- configure_strategy
- directory_groupowner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q nftables; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
find -P /etc/nftables/ -maxdepth 0 -type d ! -group root -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/nftables Directory
[ref]rule To properly set the owner of /etc/nftables, run the command:
$ sudo chown root /etc/nftables
Rationale:The ownership of the /etc/nftables directory by the root user is important
because this directory hosts nftables configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the nftables configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92509-9
- configure_strategy
- directory_owner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_owner_etc_nftables_newown variable if represented by uid
ansible.builtin.set_fact:
directory_owner_etc_nftables_newown: '0'
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-92509-9
- configure_strategy
- directory_owner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/nftables/
ansible.builtin.file:
path: /etc/nftables/
follow: false
state: directory
owner: '{{ directory_owner_etc_nftables_newown }}'
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-92509-9
- configure_strategy
- directory_owner_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q nftables; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/nftables/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/nftables Directory
[ref]rule To properly set the permissions of /etc/nftables, run the command: $ sudo chmod 0700 /etc/nftables Rationale:Setting correct permissions on the /etc/nftables directory is important
because this directory hosts nftables configuration. Protection of this
directory is critical for system security. Restricting the permissions
ensures exclusive control of the nftables configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92521-4
- configure_strategy
- directory_permissions_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/nftables/ file(s)
ansible.builtin.command: 'find -P /etc/nftables/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type
d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-92521-4
- configure_strategy
- directory_permissions_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/nftables/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-92521-4
- configure_strategy
- directory_permissions_etc_nftables
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q nftables; then
find -H /etc/nftables/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
File Permissions and Masks
[ref]groupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable PART appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for PART in turn.
The following command prints a list of all xfs partitions on the local
system, which is the default filesystem for SUSE Linux Enterprise 15
installations:
$ mount -t xfs | awk '{print $3}'
For any systems that use a different
local filesystem type, modify this command as appropriate. |
| contains 61 rules |
Verify Permissions on Important Files and
Directories
[ref]groupPermissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen. |
| contains 35 rules |
Verify Permissions on Files with Local Account Information and Credentials
[ref]groupThe default restrictive permissions for files which act as
important security databases such as passwd, shadow,
group, and gshadow files must be maintained. Many utilities
need read access to the passwd file in order to function properly, but
read access to the shadow file allows malicious attacks against system
passwords, and should never be enabled. |
| contains 15 rules |
Verify Group Who Owns group File
[ref]rule To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
Rationale:The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. Identifiers:
CCE-85801-9 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4, R50, SLES-15-900150045, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_groupowner_etc_group_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_group_newgroup: '0'
tags:
- CCE-85801-9
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group
ansible.builtin.stat:
path: /etc/group
register: file_exists
tags:
- CCE-85801-9
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/group
ansible.builtin.file:
path: /etc/group
follow: false
group: '{{ file_groupowner_etc_group_newgroup }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85801-9
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/group" | grep -E -w -q "0"; then
chgrp --no-dereference "$newgroup" /etc/group
fi
fi
|
Verify Group Who Owns gshadow File
[ref]rule To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
Rationale:The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. Identifiers:
CCE-91348-3 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.2, R50, SLES-15-900150015, SLES-15-900150105
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_groupowner_etc_gshadow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_gshadow_newgroup: '0'
tags:
- CCE-91348-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow
ansible.builtin.stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-91348-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/gshadow
ansible.builtin.file:
path: /etc/gshadow
follow: false
group: '{{ file_groupowner_etc_gshadow_newgroup }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-91348-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/gshadow" | grep -E -w -q "0"; then
chgrp --no-dereference "$newgroup" /etc/gshadow
fi
fi
|
Verify Group Who Owns passwd File
[ref]rule To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale:The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. Identifiers:
CCE-85809-2 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2, R50, SLES-15-900150015, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_groupowner_etc_passwd_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_passwd_newgroup: '0'
tags:
- CCE-85809-2
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd
ansible.builtin.stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-85809-2
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/passwd
ansible.builtin.file:
path: /etc/passwd
follow: false
group: '{{ file_groupowner_etc_passwd_newgroup }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85809-2
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/passwd" | grep -E -w -q "0"; then
chgrp --no-dereference "$newgroup" /etc/passwd
fi
fi
|
Verify Group Who Owns shadow File
[ref]rule To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp shadow /etc/shadow
Rationale:The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. Identifiers:
CCE-85808-4 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3, R50, SLES-15-900150075, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_groupowner_etc_shadow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_shadow_newgroup: '15'
tags:
- CCE-85808-4
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow
ansible.builtin.stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-85808-4
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/shadow
ansible.builtin.file:
path: /etc/shadow
follow: false
group: '{{ file_groupowner_etc_shadow_newgroup }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85808-4
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newgroup=""
if getent group "15" >/dev/null 2>&1; then
newgroup="15"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "15 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/shadow" | grep -E -w -q "15"; then
chgrp --no-dereference "$newgroup" /etc/shadow
fi
fi
|
Verify Group Who Owns /etc/shells File
[ref]rule
To properly set the group owner of /etc/shells, run the command:
$ sudo chgrp root /etc/shells
Rationale:The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_groupowner_etc_shells_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_shells_newgroup: '0'
tags:
- CCE-92541-2
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_groupowner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shells
ansible.builtin.stat:
path: /etc/shells
register: file_exists
tags:
- CCE-92541-2
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_groupowner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/shells
ansible.builtin.file:
path: /etc/shells
follow: false
group: '{{ file_groupowner_etc_shells_newgroup }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-92541-2
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_groupowner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/shells" | grep -E -w -q "0"; then
chgrp --no-dereference "$newgroup" /etc/shells
fi
fi
|
Verify User Who Owns group File
[ref]rule To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group
Rationale:The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. Identifiers:
CCE-85802-7 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4, R50, SLES-15-900150045, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_owner_etc_group_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_group_newown: '0'
tags:
- CCE-85802-7
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group
ansible.builtin.stat:
path: /etc/group
register: file_exists
tags:
- CCE-85802-7
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/group
ansible.builtin.file:
path: /etc/group
follow: false
owner: '{{ file_owner_etc_group_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85802-7
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/group" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/group
fi
fi
|
Verify User Who Owns gshadow File
[ref]rule To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow
Rationale:The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. Identifiers:
CCE-91230-3 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.2, R50, SLES-15-900150015, SLES-15-900150105
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_owner_etc_gshadow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_gshadow_newown: '0'
tags:
- CCE-91230-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow
ansible.builtin.stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-91230-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/gshadow
ansible.builtin.file:
path: /etc/gshadow
follow: false
owner: '{{ file_owner_etc_gshadow_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-91230-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/gshadow" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/gshadow
fi
fi
|
Verify User Who Owns passwd File
[ref]rule To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd
Rationale:The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. Identifiers:
CCE-85806-8 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2, R50, SLES-15-900150015, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_owner_etc_passwd_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_passwd_newown: '0'
tags:
- CCE-85806-8
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd
ansible.builtin.stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-85806-8
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/passwd
ansible.builtin.file:
path: /etc/passwd
follow: false
owner: '{{ file_owner_etc_passwd_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85806-8
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/passwd" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/passwd
fi
fi
|
Verify User Who Owns shadow File
[ref]rule To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow
Rationale:The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. Identifiers:
CCE-85807-6 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3, R50, SLES-15-900150075, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_owner_etc_shadow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_shadow_newown: '0'
tags:
- CCE-85807-6
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow
ansible.builtin.stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-85807-6
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/shadow
ansible.builtin.file:
path: /etc/shadow
follow: false
owner: '{{ file_owner_etc_shadow_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85807-6
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/shadow" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/shadow
fi
fi
|
Verify Who Owns /etc/shells File
[ref]rule
To properly set the owner of /etc/shells, run the command:
$ sudo chown root /etc/shells
Rationale:The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Set the file_owner_etc_shells_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_shells_newown: '0'
tags:
- CCE-92547-9
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_owner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shells
ansible.builtin.stat:
path: /etc/shells
register: file_exists
tags:
- CCE-92547-9
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_owner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/shells
ansible.builtin.file:
path: /etc/shells
follow: false
owner: '{{ file_owner_etc_shells_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-92547-9
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_owner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/shells" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/shells
fi
fi
|
Verify Permissions on group File
[ref]rule
To properly set the permissions of /etc/group, run the command:
$ sudo chmod 0644 /etc/group Rationale:The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. Identifiers:
CCE-85803-5 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4, R50, SLES-15-900150045, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Test for existence /etc/group
ansible.builtin.stat:
path: /etc/group
register: file_exists
tags:
- CCE-85803-5
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group
ansible.builtin.file:
path: /etc/group
mode: u-xs,g-xws,o-xwt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85803-5
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
chmod u-xs,g-xws,o-xwt /etc/group
|
Verify Permissions on gshadow File
[ref]rule
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow Rationale:The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. Identifiers:
CCE-91231-1 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.2, R50, SLES-15-900150015, SLES-15-900150105
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Test for existence /etc/gshadow
ansible.builtin.stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-91231-1
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow
ansible.builtin.file:
path: /etc/gshadow
mode: u-xwrs,g-xwrs,o-xwrt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-91231-1
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow
|
Verify Permissions on passwd File
[ref]rule
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd Rationale:If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. Identifiers:
CCE-85805-0 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2, R50, SLES-15-900150015, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Test for existence /etc/passwd
ansible.builtin.stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-85805-0
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd
ansible.builtin.file:
path: /etc/passwd
mode: u-xs,g-xws,o-xwt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85805-0
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
chmod u-xs,g-xws,o-xwt /etc/passwd
|
Verify Permissions on shadow File
[ref]rule
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0640 /etc/shadow Rationale:The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. Identifiers:
CCE-85804-3 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3, R50, SLES-15-900150075, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Test for existence /etc/shadow
ansible.builtin.stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-85804-3
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/shadow
ansible.builtin.file:
path: /etc/shadow
mode: u-xs,g-xws,o-xwrt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85804-3
- CJIS-5.5.2.2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
chmod u-xs,g-xws,o-xwrt /etc/shadow
|
Verify Permissions on /etc/shells File
[ref]rule
To properly set the permissions of /etc/shells, run the command:
$ sudo chmod 0644 /etc/shells Rationale:The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Test for existence /etc/shells
ansible.builtin.stat:
path: /etc/shells
register: file_exists
tags:
- CCE-92562-8
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_permissions_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/shells
ansible.builtin.file:
path: /etc/shells
mode: u-xs,g-xws,o-xwt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-92562-8
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_permissions_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
chmod u-xs,g-xws,o-xwt /etc/shells
|
Verify File Permissions Within Some Important Directories
[ref]groupSome directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time, particularly if
unpackaged software is installed. As such,
an argument exists to verify that files' permissions within these directories remain
configured correctly and restrictively. |
| contains 6 rules |
Verify Group Who Owns /etc/sysctl.d Directory
[ref]rule To properly set the group owner of /etc/sysctl.d, run the command:
$ sudo chgrp root /etc/sysctl.d
Rationale:The ownership of the /etc/sysctl.d directory by the root group is important
because this directory hosts kernel configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the kernel configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92506-5
- configure_strategy
- directory_groupowner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- directory_groupowner_etc_sysctld_newgroup is undefined
tags:
- CCE-92506-5
- configure_strategy
- directory_groupowner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_groupowner_etc_sysctld_newgroup variable if root found
ansible.builtin.set_fact:
directory_groupowner_etc_sysctld_newgroup: root
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92506-5
- configure_strategy
- directory_groupowner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/sysctl.d/
ansible.builtin.file:
path: /etc/sysctl.d/
follow: false
state: directory
group: '{{ directory_groupowner_etc_sysctld_newgroup }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92506-5
- configure_strategy
- directory_groupowner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
find -P /etc/sysctl.d/ -maxdepth 0 -type d ! -group root -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/sysctl.d Directory
[ref]rule To properly set the owner of /etc/sysctl.d, run the command:
$ sudo chown root /etc/sysctl.d
Rationale:The ownership of the /etc/sysctl.d directory by the root user is important
because this directory hosts kernel configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the kernel configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92513-1
- configure_strategy
- directory_owner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_owner_etc_sysctld_newown variable if represented by uid
ansible.builtin.set_fact:
directory_owner_etc_sysctld_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92513-1
- configure_strategy
- directory_owner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/sysctl.d/
ansible.builtin.file:
path: /etc/sysctl.d/
follow: false
state: directory
owner: '{{ directory_owner_etc_sysctld_newown }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92513-1
- configure_strategy
- directory_owner_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/sysctl.d/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/sysctl.d Directory
[ref]rule To properly set the permissions of /etc/sysctl.d, run the command: $ sudo chmod 0755 /etc/sysctl.d Rationale:Setting correct permissions on the /etc/sysctl.d directory is important
because this directory hosts kernel configuration. Protection of this
directory is critical for system security. Restricting the permissions
ensures exclusive control of the kernel configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92527-1
- configure_strategy
- directory_permissions_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/sysctl.d/ file(s)
ansible.builtin.command: 'find -P /etc/sysctl.d/ -maxdepth 0 -perm /u+s,g+ws,o+wt -type
d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92527-1
- configure_strategy
- directory_permissions_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/sysctl.d/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-ws,o-wt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92527-1
- configure_strategy
- directory_permissions_etc_sysctld
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
find -H /etc/sysctl.d/ -maxdepth 0 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify that system commands files are group owned by root or a system account
[ref]ruleSystem commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE Rationale:If the operating system allows any user to make changes to software
libraries, then those changes might be implemented without undergoing the
appropriate testing and approvals that are part of a robust change management
process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with
escalated privileges. Only qualified and authorized individuals must be
allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications. Remediation Ansible snippet: (show)
| Complexity: | medium |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Verify that system commands files are group owned by root or a system account
- Find system command files with incorrect group ownership
ansible.builtin.find:
paths: '{{ item }}'
file_type: file
follow: false
recurse: false
register: system_command_files_found
with_items:
- /bin
- /sbin
- /usr/bin
- /usr/sbin
- /usr/local/bin
- /usr/local/sbin
changed_when: false
tags:
- CCE-85742-5
- DISA-STIG-SLES-15-010361
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- file_groupownership_system_commands_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that system commands files are group owned by root or a system account
- Set group ownership to root for system command files
ansible.builtin.file:
path: '{{ item.path }}'
group: root
with_items: '{{ system_command_files_found.results | map(attribute=''files'') |
flatten | rejectattr(''gr_name'', ''equalto'', ''root'') | list }}'
tags:
- CCE-85742-5
- DISA-STIG-SLES-15-010361
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- file_groupownership_system_commands_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
find -P /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp root '{}' \; || true
|
Verify that System Executables Have Root Ownership
[ref]ruleSystem executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE Rationale:System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted. Identifiers:
CCE-85730-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, SLES-15-010359, R50, 1409, SV-234842r991560_rule
| Complexity: | medium |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Read list of system executables without root ownership
ansible.builtin.command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/
/usr/local/sbin/ /usr/libexec \! -user root
register: no_root_system_executables
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-85730-0
- DISA-STIG-SLES-15-010359
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_ownership_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set ownership to root of system executables
ansible.builtin.file:
path: '{{ item }}'
owner: root
with_items: '{{ no_root_system_executables.stdout_lines }}'
when: no_root_system_executables.stdout_lines | length > 0
tags:
- CCE-85730-0
- DISA-STIG-SLES-15-010359
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_ownership_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \! -user root -execdir chown root {} \;
|
Verify that System Executables Have Restrictive Permissions
[ref]ruleSystem executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE Rationale:System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted. Identifiers:
CCE-85729-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, SLES-15-010358, R50, 1409, SV-234841r991560_rule
| Complexity: | medium |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Read list of world and group writable system executables
ansible.builtin.command: find -L /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin
/usr/libexec -perm /022 \( -type l -o -type f \)
register: world_writable_library_files
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-85729-2
- DISA-STIG-SLES-15-010358
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_permissions_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remove world/group writability of system executables
ansible.builtin.file:
path: '{{ item }}'
mode: go-w
state: file
with_items: '{{ world_writable_library_files.stdout_lines }}'
when: world_writable_library_files.stdout_lines | length > 0
tags:
- CCE-85729-2
- DISA-STIG-SLES-15-010358
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_permissions_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
done
|
Ensure All World-Writable Directories Are Owned by root User
[ref]ruleAll directories in local partitions which are world-writable should be owned by root.
If any world-writable directories are not owned by root, this should be investigated.
Following this, the files should be deleted or assigned to root user. Rationale:Allowing a user account to own a world-writable directory is undesirable because it allows the
owner of that directory to remove or replace any files that may be placed in the directory by
other users. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded
(Non-Local) File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- autofs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Find Relevant
Root Directories Ignoring Pre-Defined Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Include Relevant
Root Directories in a List of Paths to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Increment Search
Paths List with Local Partitions Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Increment Search
Paths List with Local NFS File System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when: item.device is search("localhost:")
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Define Rule
Specific Facts
ansible.builtin.set_fact:
world_writable_dirs: []
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Find All Uncompliant
Directories in Local File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type d -perm -0002 -uid +0
loop: '{{ search_paths }}'
changed_when: false
register: result_found_dirs
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Create List
of World Writable Directories Not Owned by root
ansible.builtin.set_fact:
world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
}}'
loop: '{{ result_found_dirs.results }}'
when: item is not skipped
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Ensure root
Ownership on Local World Writable Directories
ansible.builtin.file:
path: '{{ item }}'
owner: root
loop: '{{ world_writable_dirs }}'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# At least under containerized env /proc can have files w/o possilibity to
# modify even as root. And touching /proc is not good idea anyways.
find / -path /proc -prune -o \
-not -fstype afs -not -fstype autofs -not -fstype ceph -not -fstype cifs -not -fstype smb3 \
-not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs \
-not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \
-not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \
-not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;
|
Verify that All World-Writable Directories Have Sticky Bits Set
[ref]ruleWhen the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR Warning:
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of directories present on the system. It is
not a problem in most cases, but especially systems with a large number of directories can
be affected. See https://access.redhat.com/articles/6999111. Warning:
Please note that there might be cases where the rule remediation cannot fix directory permissions.
This can happen for example when running on a system with some immutable parts.
These immutable parts cannot be remediated because they are read-only.
Example of such directories can be OStree deployments located at /sysroot/ostree/deploy.
In such case, it is needed to make modifications to the underlying ostree snapshot and this is out of scope of regular rule remediation. Failing to set the sticky bit on public directories allows unauthorized users to delete files
in the directory structure.
The only authorized public directories are those temporary directories supplied with the
system, or those designed to be temporary file repositories. The setting is normally reserved
for directories used by the system, by users for temporary file storage (such as /tmp),
and for directories requiring global read/write access. Identifiers:
CCE-83282-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, SLES-15-010300, 1.1.22, R54, 1409, 2.2.6, 2.2, SV-234828r958524_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded
(Non-Local) File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- autofs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant
Root Directories Ignoring Pre-Defined Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Include
Relevant Root Directories in a List of Paths to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
Search Paths List with Local Partitions Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
Search Paths List with Local NFS File System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when: item.device is search("localhost:")
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Rule
Specific Facts
ansible.builtin.set_fact:
world_writable_dirs: []
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All
Uncompliant Directories in Local File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 )
loop: '{{ search_paths }}'
changed_when: false
register: result_found_dirs
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Create List
of World Writable Directories Without Sticky Bit
ansible.builtin.set_fact:
world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
}}'
loop: '{{ result_found_dirs.results }}'
when: result_found_dirs is not skipped and item is not skipped
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure Sticky
Bit is Set on Local World Writable Directories
ansible.builtin.file:
path: '{{ item }}'
mode: a+t
loop: '{{ world_writable_dirs }}'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
df --local -P | awk '{if (NR!=1) print $6}' \
| xargs -I '$6' find '$6' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
-exec chmod a+t {} +
|
Verify that system commands directories have root as a group owner
[ref]ruleSystem commands are stored in the following directories:
by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All these directories should have root user as a group owner.
If any system command directory is not group owned by a user other than root
correct its ownership with the following command:
$ sudo chgrp root DIR Rationale:If the operating system were to allow any user to make changes to
software libraries, then those changes might be implemented without
undergoing the appropriate testing and approvals that are part of a
robust change management process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with escalated
privileges. Only qualified and authorized individuals must be allowed to obtain
access to information system components for purposes of initiating changes,
including upgrades and modifications. Remediation Ansible snippet: (show)
| Complexity: | medium |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Verify that system commands directories have root as a group owner - Set group
ownership of directories that contain system commands to root
ansible.builtin.file:
path: '{{ item }}'
group: root
recurse: 'yes'
state: directory
follow: 'yes'
with_items:
- /bin
- /sbin
- /usr/bin
- /usr/sbin
- /usr/local/bin
- /usr/local/sbin
tags:
- CCE-85743-3
- DISA-STIG-SLES-15-010362
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- dir_system_commands_group_root_owned
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
for SYSCMDDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
do
find -L $SYSCMDDIRS ! -group root -type d -exec chgrp root '{}' \;
done
|
Verify that system commands directories have root ownership
[ref]ruleSystem commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All these directories should be owned by the root user.
If any system command directory is not owned by a user other than root
correct its ownership with the following command:
$ sudo chown root DIR Rationale:If the operating system were to allow any user to make changes to
software libraries, then those changes might be implemented without
undergoing the appropriate testing and approvals that are part of a
robust change management process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with escalated
privileges. Only qualified and authorized individuals must be allowed to obtain
access to information system components for purposes of initiating changes,
including upgrades and modifications. Remediation Ansible snippet: (show)
| Complexity: | medium |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Verify that system commands directories have root ownership - Set ownership
of directories that contain system commands to root
ansible.builtin.file:
path: '{{ item }}'
owner: root
recurse: 'yes'
state: directory
follow: 'yes'
with_items:
- /bin
- /sbin
- /usr/bin
- /usr/sbin
- /usr/local/bin
- /usr/local/sbin
tags:
- CCE-85741-7
- DISA-STIG-SLES-15-010360
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- dir_system_commands_root_owned
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
for SYSCMDDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
do
find -L $SYSCMDDIRS \! -user root -type d -exec chown root {} \;
done
|
Verify Group Who Owns /etc/crypttab File
[ref]rule To properly set the group owner of /etc/crypttab, run the command:
$ sudo chgrp root /etc/crypttab
Rationale:The ownership of the /etc/crypttab file by the root group is important
because this file hosts encrypted block devices configuration. Protection
of this file is critical for system security. Assigning the ownership to
root ensures exclusive control of the encrypted block devices
configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_groupowner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_groupowner_etc_crypttab_newgroup is undefined
tags:
- configure_strategy
- file_groupowner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_crypttab_newgroup variable if root found
ansible.builtin.set_fact:
file_groupowner_etc_crypttab_newgroup: root
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ansible_facts.getent_group["root"] is defined
tags:
- configure_strategy
- file_groupowner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/crypttab
ansible.builtin.stat:
path: /etc/crypttab
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupowner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/crypttab
ansible.builtin.file:
path: /etc/crypttab
follow: false
group: '{{ file_groupowner_etc_crypttab_newgroup }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_groupowner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/crypttab" | grep -E -w -q "root"; then
chgrp --no-dereference "$newgroup" /etc/crypttab
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/crypttab File
[ref]rule To properly set the owner of /etc/crypttab, run the command:
$ sudo chown root /etc/crypttab
Rationale:The ownership of the /etc/crypttab file by the root user is important
because this file hosts encrypted block devices configuration. Protection
of this file is critical for system security. Assigning the ownership to
root ensures exclusive control of the encrypted block devices
configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_owner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_crypttab_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_crypttab_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/crypttab
ansible.builtin.stat:
path: /etc/crypttab
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/crypttab
ansible.builtin.file:
path: /etc/crypttab
follow: false
owner: '{{ file_owner_etc_crypttab_newown }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_owner_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/crypttab" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/crypttab
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/crypttab File
[ref]rule To properly set the permissions of /etc/crypttab, run the command: $ sudo chmod 0600 /etc/crypttab Rationale:Setting correct permissions on the /etc/crypttab file is important
because this file hosts encrypted block devices configuration. Protection
of this file is critical for system security. Assigning the ownership to
root ensures exclusive control of the encrypted block devices
configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_permissions_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/crypttab
ansible.builtin.stat:
path: /etc/crypttab
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_permissions_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/crypttab
ansible.builtin.file:
path: /etc/crypttab
mode: u-xs,g-xwrs,o-xwrt
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_permissions_etc_crypttab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
chmod u-xs,g-xwrs,o-xwrt /etc/crypttab
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure All SGID Executables Are Authorized
[ref]ruleThe SGID (set group id) bit should be set only on files that were installed via authorized
means. A straightforward means of identifying unauthorized SGID files is determine if any were
not installed as part of an RPM package, which is cryptographically verified. Investigate the
origin of any unpackaged SGID files. This configuration check considers authorized SGID files
those which were installed via RPM. It is assumed that when an individual has sudo access to
install an RPM and all packages are signed with an organizationally-recognized GPG key, the
software should be considered an approved package on the system. Any SGID file not deployed
through an RPM will be flagged for further review. Warning:
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. Executable files with the SGID permission run with the privileges of the owner of the file.
SGID files of uncertain provenance could allow for unprivileged users to elevate privileges.
The presence of these files should be strictly controlled on the system. Identifiers:
CCE-91175-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 6.1.12, R56, 1409 |
Ensure All SUID Executables Are Authorized
[ref]ruleThe SUID (set user id) bit should be set only on files that were installed via authorized
means. A straightforward means of identifying unauthorized SUID files is determine if any were
not installed as part of an RPM package, which is cryptographically verified. Investigate the
origin of any unpackaged SUID files. This configuration check considers authorized SUID files
those which were installed via RPM. It is assumed that when an individual has sudo access to
install an RPM and all packages are signed with an organizationally-recognized GPG key, the
software should be considered an approved package on the system. Any SUID file not deployed
through an RPM will be flagged for further review. Warning:
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. Executable files with the SUID permission run with the privileges of the owner of the file.
SUID files of uncertain provenance could allow for unprivileged users to elevate privileges.
The presence of these files should be strictly controlled on the system. Identifiers:
CCE-91174-3 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 6.1.11, R56, SLES-15-900150195, 1409 |
Ensure No World-Writable Files Exist
[ref]ruleIt is generally a good idea to remove global (other) write access to a file when it is
discovered. However, check with documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured
application or user account. Finally, this applies to real files and not virtual files that
are a part of pseudo file systems such as sysfs or procfs. Warning:
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. Data in world-writable files can be modified by any user on the system. In almost all
circumstances, files can be configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk caused by world-writable files. Identifiers:
CCE-91233-7 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 6.1.8, R54, SLES-15-900150165, 1409, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
# Do not consider /sysroot partition because it contains only the physical
# read-only root on bootable containers.
PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }' | grep -v "/sysroot")
for PARTITION in $PARTITIONS; do
find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
done
# Ensure /tmp is also fixed when tmpfs is used.
if grep "^tmpfs /tmp" /proc/mounts; then
find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
fi
|
Ensure All Files Are Owned by a Group
[ref]ruleIf any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group. The groups need to be defined in /etc/group
or in /usr/lib/group if nss-altfiles are configured to be used
in /etc/nsswitch.conf.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null Warning:
This rule only considers local groups as valid groups.
If you have your groups defined outside /etc/group or /usr/lib/group, the rule won't consider those. Warning:
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed. Identifiers:
CCE-85658-3 References:
1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, SLES-15-040410, 6.1.10, R53, 2.2.6, 2.2, SV-235029r991589_rule |
Ensure All Files Are Owned by a User
[ref]ruleIf any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null Warning:
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwd returns a list of all users in your organization.
If using the System Security Services Daemon (SSSD), enumerate = true must be configured
in your organization's domain to return a complete list of users Warning:
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed. Identifiers:
CCE-85657-5 References:
11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SLES-15-040400, 6.1.9, R53, SLES-15-900150180, 2.2.6, 2.2, SV-235028r991589_rule |
Enable Kernel Parameter to Enforce DAC on Hardlinks
[ref]ruleTo set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 Rationale:By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat(). Identifiers:
CCE-91252-7 References:
CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, R14, SLES-15-150750180
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Find all files that
contain fs.protected_hardlinks
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_hardlinks\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Find all files that
set fs.protected_hardlinks to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_hardlinks\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Comment out any occurrences
of fs.protected_hardlinks from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*fs.protected_hardlinks
replace: '#fs.protected_hardlinks'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Comment out any occurrences
of fs.protected_hardlinks from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*fs.protected_hardlinks
replace: '#fs.protected_hardlinks'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Ensure sysctl fs.protected_hardlinks
is set to 1
ansible.posix.sysctl:
name: fs.protected_hardlinks
value: '1'
sysctl_file: /etc/sysctl.d/fs_protected_hardlinks.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91252-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "fs.protected_hardlinks" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/fs_protected_hardlinks.conf'
#
# Set runtime for fs.protected_hardlinks
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w fs.protected_hardlinks="1"
fi
#
# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1"
# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91252-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Kernel Parameter to Enforce DAC on Symlinks
[ref]ruleTo set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 Rationale:By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat(). Identifiers:
CCE-91253-5 References:
CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, R14, SLES-15-150750180
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Find all files that contain
fs.protected_symlinks
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_symlinks\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Find all files that set
fs.protected_symlinks to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_symlinks\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Comment out any occurrences
of fs.protected_symlinks from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*fs.protected_symlinks
replace: '#fs.protected_symlinks'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Comment out any occurrences
of fs.protected_symlinks from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*fs.protected_symlinks
replace: '#fs.protected_symlinks'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Ensure sysctl fs.protected_symlinks
is set to 1
ansible.posix.sysctl:
name: fs.protected_symlinks
value: '1'
sysctl_file: /etc/sysctl.d/fs_protected_symlinks.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91253-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "fs.protected_symlinks" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/fs_protected_symlinks.conf'
#
# Set runtime for fs.protected_symlinks
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w fs.protected_symlinks="1"
fi
#
# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1"
# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91253-5"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Restrict Partition Mount Options
[ref]groupSystem partitions can be mounted with certain options
that limit what files on those partitions can do. These options
are set in the /etc/fstab configuration file, and can be
used to make certain types of malicious behavior more difficult. |
| contains 15 rules |
Add noexec Option to /boot
[ref]ruleThe noexec mount option can be used to prevent binaries from being
executed out of /boot.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot. Rationale:The /boot partition contains the kernel and the bootloader. No
binaries should be executed from this partition after the booting process
finishes. Identifiers:
CCE-91234-5 References:
R28
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91234-5
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_noexec
- no_reboot_needed
- name: 'Add noexec Option to /boot: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-91234-5
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_noexec
- no_reboot_needed
- name: 'Add noexec Option to /boot: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91234-5
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_noexec
- no_reboot_needed
- name: 'Add noexec Option to /boot: If /boot not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /boot
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91234-5
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_noexec
- no_reboot_needed
- name: 'Add noexec Option to /boot: Make sure noexec option is part of the to /boot
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- CCE-91234-5
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_noexec
- no_reboot_needed
- name: 'Add noexec Option to /boot: Ensure /boot is mounted with noexec option'
ansible.posix.mount:
path: /boot
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91234-5
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_noexec
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
# the mount point /boot has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /boot defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
fi
if mkdir -p "/boot"; then
if mountpoint -q "/boot"; then
mount -o remount --target "/boot"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /boot
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /boot. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot. Rationale:The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions. Identifiers:
CCE-91235-2 References:
CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, R28
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91235-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-91235-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91235-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: If /boot not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /boot
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91235-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Make sure nosuid option is part of the to /boot
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91235-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Ensure /boot is mounted with nosuid option'
ansible.posix.mount:
path: /boot
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91235-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
# the mount point /boot has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /boot defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/boot"; then
if mountpoint -q "/boot"; then
mount -o remount --target "/boot"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add noexec Option to /home
[ref]ruleThe noexec mount option can be used to prevent binaries from being
executed out of /home.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. Rationale:The /home directory contains data of individual users. Binaries in
this directory should not be considered as trusted and users should not be
able to execute them. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91236-0
- NIST-800-53-CM-6(b)
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_noexec
- no_reboot_needed
- name: 'Add noexec Option to /home: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-91236-0
- NIST-800-53-CM-6(b)
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_noexec
- no_reboot_needed
- name: 'Add noexec Option to /home: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91236-0
- NIST-800-53-CM-6(b)
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_noexec
- no_reboot_needed
- name: 'Add noexec Option to /home: If /home not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /home
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91236-0
- NIST-800-53-CM-6(b)
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_noexec
- no_reboot_needed
- name: 'Add noexec Option to /home: Make sure noexec option is part of the to /home
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- CCE-91236-0
- NIST-800-53-CM-6(b)
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_noexec
- no_reboot_needed
- name: 'Add noexec Option to /home: Ensure /home is mounted with noexec option'
ansible.posix.mount:
path: /home
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91236-0
- NIST-800-53-CM-6(b)
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_noexec
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
# the mount point /home has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /home defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
fi
if mkdir -p "/home"; then
if mountpoint -q "/home"; then
mount -o remount --target "/home"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /home
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. Rationale:The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions. Identifiers:
CCE-85633-6 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, SLES-15-040140, R28, SLES-15-150150300, SV-234998r991589_rule
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85633-6
- DISA-STIG-SLES-15-040140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-85633-6
- DISA-STIG-SLES-15-040140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-85633-6
- DISA-STIG-SLES-15-040140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: If /home not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /home
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-85633-6
- DISA-STIG-SLES-15-040140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Make sure nosuid option is part of the to /home
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-85633-6
- DISA-STIG-SLES-15-040140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Ensure /home is mounted with nosuid option'
ansible.posix.mount:
path: /home
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-85633-6
- DISA-STIG-SLES-15-040140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); }; then
function perform_remediation {
# the mount point /home has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/home"; then
if mountpoint -q "/home"; then
mount -o remount --target "/home"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nodev Option to Non-Root Local Partitions
[ref]ruleThe nodev mount option prevents files from being interpreted as
character or block devices. Legitimate character and block devices should
exist only in the /dev directory on the root partition or within
chroot jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any non-root local partitions. Warning:
This rule checks only local partitions, identified as those backed by
a device node in /dev. Network file systems such as NFS, CIFS,
GlusterFS and others are excluded because they do not expose local
device nodes. The /boot and /efi partitions are
excluded because they are special partitions usually handled by a
systemd mount unit, and enforcing nodev on them during
operating system installation causes issues. Partitions with the
vfat file system type are excluded because vfat does not
support Unix device special files, so nodev enforcement on
them is not meaningful. The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems. Identifiers:
CCE-91237-8 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, R28
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91237-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Refresh facts'
ansible.builtin.setup:
gather_subset: mounts
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-91237-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Define excluded (non-local)
file systems'
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- autofs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
- vfat
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-91237-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
are mounted with nodev option'
ansible.posix.mount:
path: '{{ item.mount }}'
src: '{{ item.device }}'
opts: '{{ item.options }},nodev'
state: mounted
fstype: '{{ item.fstype }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- item.mount is match('/\w')
- item.mount is not match('/(boot|efi)')
- item.options is not search('nodev')
- item.fstype not in excluded_fstypes
- (not accounts_polyinstantiated_var_tmp | default(false)) or item.mount != '/var/tmp/tmp-inst'
- (not accounts_polyinstantiated_tmp | default(false)) or item.mount != '/tmp/tmp-inst'
with_items:
- '{{ ansible_facts.mounts }}'
tags:
- CCE-91237-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
are present with nodev option in /etc/fstab'
ansible.builtin.replace:
path: /etc/fstab
regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
replace: \1 \2 \3 \4,nodev \5
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-91237-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
MOUNT_OPTION="nodev"
# Create array of local non-root partitions
readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep -v "^/proc" | grep "\s/dev/\w")
# Create array of polyinstantiated directories, in case one of them is found in mtab
readarray -t polyinstantiated_dirs < \
<(grep -oP "^\s*[^#\s]+\s+\S+" /etc/security/namespace.conf | grep -oP "(?<=\s)\S+?(?=/?\$)")
# Define excluded non-local file systems
excluded_fstypes=(
afs
autofs
ceph
cifs
smb3
smbfs
sshfs
ncpfs
ncp
nfs
nfs4
gfs
gfs2
glusterfs
gpfs
pvfs2
ocfs2
lustre
davfs
fuse.sshfs
vfat
)
for partition_record in "${partitions_records[@]}"; do
# Get all important information for fstab
mount_point="$(echo "${partition_record}" | cut -d " " -f1)"
device="$(echo "${partition_record}" | cut -d " " -f2)"
device_type="$(echo "${partition_record}" | cut -d " " -f3)"
# Skip /boot and /efi partitions
if [[ "$mount_point" =~ ^/(boot|efi) ]]; then
continue
fi
# Skip polyinstantiated directories
if printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
continue
fi
# Skip any non-local filesystem
for excluded_fstype in "${excluded_fstypes[@]}"; do
if [[ "$device_type" == "$excluded_fstype" ]]; then
# jump out of both loops and move to next partition_record
continue 2
fi
done
# If we reach here, it's a local, non-root partition that isn't excluded.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" $mount_point)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|$MOUNT_OPTION)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type="$device_type"
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo "$device $mount_point $device_type defaults,${previous_mount_opts}$MOUNT_OPTION 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$MOUNT_OPTION"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$MOUNT_OPTION|" /etc/fstab
fi
if mkdir -p "$mount_point"; then
if mountpoint -q "$mount_point"; then
mount -o remount --target "$mount_point"
fi
fi
done
# Remediate unmounted /etc/fstab entries, excluding /boot, /efi, and vfat partitions
sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/\w\S*\s+vfat\s/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; } }' /etc/fstab
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /opt
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /opt. The SUID and SGID permissions
should not be required in this directory.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/opt. Rationale:The presence of SUID and SGID executables should be tightly controlled. The
/opt directory contains additional software packages. Users should
not be able to execute SUID or SGID binaries from this directory. Identifiers:
CCE-91270-9 References:
R28
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91270-9
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_opt_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /opt: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/opt'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/opt" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91270-9
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_opt_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /opt: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/opt" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91270-9
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_opt_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /opt: If /opt not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /opt
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/opt" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91270-9
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_opt_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /opt: Make sure nosuid option is part of the to /opt
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/opt" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91270-9
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_opt_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /opt: Ensure /opt is mounted with nosuid option'
ansible.posix.mount:
path: /opt
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/opt" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91270-9
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_opt_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/opt" > /dev/null || findmnt --fstab "/opt" > /dev/null ); }; then
function perform_remediation {
# the mount point /opt has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/opt")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/opt' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /opt in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /opt)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /opt defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/opt"; then
if mountpoint -q "/opt"; then
mount -o remount --target "/opt"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /srv
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /srv. The SUID and SGID permissions
should not be required in this directory.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/srv. Rationale:The presence of SUID and SGID executables should be tightly controlled. The
/srv directory contains files served by various network services such as FTP. Users should
not be able to execute SUID or SGID binaries from this directory. Identifiers:
CCE-91271-7 References:
R28
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91271-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_srv_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /srv: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/srv'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/srv" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91271-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_srv_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /srv: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/srv" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91271-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_srv_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /srv: If /srv not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /srv
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/srv" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91271-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_srv_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /srv: Make sure nosuid option is part of the to /srv
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/srv" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91271-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_srv_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /srv: Ensure /srv is mounted with nosuid option'
ansible.posix.mount:
path: /srv
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/srv" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91271-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_srv_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); }; then
function perform_remediation {
# the mount point /srv has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/srv")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/srv' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /srv in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /srv)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /srv defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/srv"; then
if mountpoint -q "/srv"; then
mount -o remount --target "/srv"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add noexec Option to /tmp
[ref]ruleThe noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. Rationale:Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise. Identifiers:
CCE-91272-5 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.3, R28, SLES-15-150150195
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91272-5
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91272-5
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91272-5
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91272-5
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Make sure noexec option is part of the to /tmp
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- CCE-91272-5
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Ensure /tmp is mounted with noexec option'
ansible.posix.mount:
path: /tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91272-5
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); }; then
function perform_remediation {
# the mount point /tmp has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
fi
if mkdir -p "/tmp"; then
if mountpoint -q "/tmp"; then
mount -o remount --target "/tmp"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /tmp
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. Rationale:The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. Identifiers:
CCE-91273-3 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5, R28, SLES-15-150150180
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91273-3
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91273-3
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91273-3
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91273-3
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Make sure nosuid option is part of the to /tmp
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91273-3
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Ensure /tmp is mounted with nosuid option'
ansible.posix.mount:
path: /tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91273-3
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); }; then
function perform_remediation {
# the mount point /tmp has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/tmp"; then
if mountpoint -q "/tmp"; then
mount -o remount --target "/tmp"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add noexec Option to /var/log
[ref]ruleThe noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. Rationale:Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise. Identifiers:
CCE-91274-1 References:
CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, R28, SLES-15-150150465
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91274-1
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91274-1
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91274-1
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: If /var/log not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91274-1
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Make sure noexec option is part of the to
/var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- CCE-91274-1
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Ensure /var/log is mounted with noexec option'
ansible.posix.mount:
path: /var/log
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91274-1
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); }; then
function perform_remediation {
# the mount point /var/log has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /var/log defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
fi
if mkdir -p "/var/log"; then
if mountpoint -q "/var/log"; then
mount -o remount --target "/var/log"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /var/log
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. Rationale:The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files. Identifiers:
CCE-91275-8 References:
CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, R28, SLES-15-150150450
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91275-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91275-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91275-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: If /var/log not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91275-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Make sure nosuid option is part of the to
/var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91275-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Ensure /var/log is mounted with nosuid option'
ansible.posix.mount:
path: /var/log
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91275-8
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); }; then
function perform_remediation {
# the mount point /var/log has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /var/log defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/var/log"; then
if mountpoint -q "/var/log"; then
mount -o remount --target "/var/log"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add noexec Option to /var
[ref]ruleThe noexec mount option can be used to prevent binaries from being
executed out of /var.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var. Rationale:The /var directory contains variable system data such as logs,
mails and caches. No binaries should be executed from this directory. Identifiers:
CCE-91276-6 References:
R28
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91276-6
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91276-6
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91276-6
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var: If /var not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91276-6
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var: Make sure noexec option is part of the to /var
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- CCE-91276-6
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var: Ensure /var is mounted with noexec option'
ansible.posix.mount:
path: /var
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91276-6
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_noexec
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); }; then
function perform_remediation {
# the mount point /var has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /var defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
fi
if mkdir -p "/var"; then
if mountpoint -q "/var"; then
mount -o remount --target "/var"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /var
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /var. The SUID and SGID permissions
should not be required for this directory.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var. Rationale:The presence of SUID and SGID executables should be tightly controlled. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91277-4
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91277-4
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91277-4
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: If /var not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91277-4
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Make sure nosuid option is part of the to /var
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91277-4
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Ensure /var is mounted with nosuid option'
ansible.posix.mount:
path: /var
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91277-4
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); }; then
function perform_remediation {
# the mount point /var has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /var defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/var"; then
if mountpoint -q "/var"; then
mount -o remount --target "/var"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add noexec Option to /var/tmp
[ref]ruleThe noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. Rationale:Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91278-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91278-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91278-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: If /var/tmp not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91278-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Make sure noexec option is part of the to
/var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- CCE-91278-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Ensure /var/tmp is mounted with noexec option'
ansible.posix.mount:
path: /var/tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91278-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); }; then
function perform_remediation {
# the mount point /var/tmp has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
fi
if mkdir -p "/var/tmp"; then
if mountpoint -q "/var/tmp"; then
mount -o remount --target "/var/tmp"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Add nosuid Option to /var/tmp
[ref]ruleThe nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. Rationale:The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | high |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91279-0
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-91279-0
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-91279-0
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: If /var/tmp not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-91279-0
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Make sure nosuid option is part of the to
/var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options |
default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- CCE-91279-0
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Ensure /var/tmp is mounted with nosuid option'
ansible.posix.mount:
path: /var/tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- CCE-91279-0
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); }; then
function perform_remediation {
# the mount point /var/tmp has to be defined in /etc/fstab
# before this remediation can be executed. In case it is not defined, the
# remediation aborts and no changes regarding the mount point are done.
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")"
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type=""
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
fi
if mkdir -p "/var/tmp"; then
if mountpoint -q "/var/tmp"; then
mount -o remount --target "/var/tmp"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Restrict Programs from Dangerous Execution Patterns
[ref]groupThe recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs. |
| contains 11 rules |
Disable Core Dumps
[ref]groupA core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
Once a hard limit is set in /etc/security/limits.conf, or
to a file within the /etc/security/limits.d/ directory, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the limits.conf man page for more
information.
The core dumps of setuid programs are further protected. The
sysctl variable fs.suid_dumpable controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended. |
| contains 1 rule |
Disable Core Dumps for SUID programs
[ref]ruleTo set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 Rationale:The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data. Identifiers:
CCE-91447-3 References:
164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), 1.6.1, R14, SLES-15-150750030, 3.3.1.1, 3.3.1, 3.3
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
- name: Disable Core Dumps for SUID programs - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
- name: Disable Core Dumps for SUID programs - Find all files that contain fs.suid_dumpable
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.suid_dumpable\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
- name: Disable Core Dumps for SUID programs - Find all files that set fs.suid_dumpable
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.suid_dumpable\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
- name: Disable Core Dumps for SUID programs - Comment out any occurrences of fs.suid_dumpable
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*fs.suid_dumpable
replace: '#fs.suid_dumpable'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
- name: Disable Core Dumps for SUID programs - Comment out any occurrences of fs.suid_dumpable
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*fs.suid_dumpable
replace: '#fs.suid_dumpable'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
- name: Disable Core Dumps for SUID programs - Ensure sysctl fs.suid_dumpable is set
to 0
ansible.posix.sysctl:
name: fs.suid_dumpable
value: '0'
sysctl_file: /etc/sysctl.d/fs_suid_dumpable.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91447-3
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_suid_dumpable
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "fs.suid_dumpable" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/fs_suid_dumpable.conf'
#
# Set runtime for fs.suid_dumpable
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w fs.suid_dumpable="0"
fi
#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91447-3"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable ExecShield
[ref]groupExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through sysctl variables
kernel.exec-shield and kernel.randomize_va_space. On the latest
64-bit systems, kernel.exec-shield cannot be enabled or disabled with
sysctl. |
| contains 2 rules |
Restrict Exposed Kernel Pointer Addresses Access
[ref]ruleTo set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 2 Rationale:Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0. Identifiers:
CCE-83299-8 References:
CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, SLES-15-010540, R9, 1409, SV-234861r958928_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
set_fact:
sysctl_kernel_kptr_restrict_value: !!str 2
tags:
- always
- name: Restrict Exposed Kernel Pointer Addresses Access - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that contain
kernel.kptr_restrict
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kptr_restrict\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that set
kernel.kptr_restrict to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kptr_restrict\s*=\s*{{ sysctl_kernel_kptr_restrict_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
of kernel.kptr_restrict from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.kptr_restrict
replace: '#kernel.kptr_restrict'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
of kernel.kptr_restrict from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.kptr_restrict
replace: '#kernel.kptr_restrict'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Ensure sysctl kernel.kptr_restrict
is set
ansible.posix.sysctl:
name: kernel.kptr_restrict
value: '{{ sysctl_kernel_kptr_restrict_value }}'
sysctl_file: /etc/sysctl.d/kernel_kptr_restrict.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83299-8
- DISA-STIG-SLES-15-010540
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.kptr_restrict" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_kptr_restrict.conf'
sysctl_kernel_kptr_restrict_value='2'
#
# Set runtime for kernel.kptr_restrict
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
fi
#
# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
# else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-83299-8"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable Randomized Layout of Virtual Address Space
[ref]ruleTo set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 Rationale:Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. Identifiers:
CCE-83300-4 References:
3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, SLES-15-010550, 1.6.3, R9, SLES-15-150750015, 1409, 3.3.1.1, 3.3.1, 3.3, SV-234862r958928_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Find all files that contain
kernel.randomize_va_space
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.randomize_va_space\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Find all files that set
kernel.randomize_va_space to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.randomize_va_space\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences
of kernel.randomize_va_space from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.randomize_va_space
replace: '#kernel.randomize_va_space'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences
of kernel.randomize_va_space from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.randomize_va_space
replace: '#kernel.randomize_va_space'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Ensure sysctl kernel.randomize_va_space
is set to 2
ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
sysctl_file: /etc/sysctl.d/kernel_randomize_va_space.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-83300-4
- DISA-STIG-SLES-15-010550
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.randomize_va_space" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_randomize_va_space.conf'
#
# Set runtime for kernel.randomize_va_space
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
fi
#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "2"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-83300-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Restrict Access to Kernel Message Buffer
[ref]ruleTo set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 Rationale:Unprivileged access to the kernel syslog can expose sensitive kernel
address information. Identifiers:
CCE-91448-1 References:
3.1.5, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, SLES-15-010375, R9, 1546, SV-255921r958524_rule
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Find all files that contain kernel.dmesg_restrict
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.dmesg_restrict\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Find all files that set kernel.dmesg_restrict
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.dmesg_restrict\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Comment out any occurrences of
kernel.dmesg_restrict from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.dmesg_restrict
replace: '#kernel.dmesg_restrict'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Comment out any occurrences of
kernel.dmesg_restrict from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.dmesg_restrict
replace: '#kernel.dmesg_restrict'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Ensure sysctl kernel.dmesg_restrict
is set to 1
ansible.posix.sysctl:
name: kernel.dmesg_restrict
value: '1'
sysctl_file: /etc/sysctl.d/kernel_dmesg_restrict.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91448-1
- DISA-STIG-SLES-15-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.dmesg_restrict" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_dmesg_restrict.conf'
#
# Set runtime for kernel.dmesg_restrict
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"
fi
#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91448-1"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Kernel panic on oops
[ref]ruleTo set the runtime status of the kernel.panic_on_oops kernel parameter, run the following command: $ sudo sysctl -w kernel.panic_on_oops=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.panic_on_oops = 1 Warning:
The system may start to panic when it normally wouldn't. A non-catastrophic error that
would have allowed the system to continue operating will now result in a panic. An attacker trying to exploit the kernel may trigger kernel OOPSes,
panicking the system will impede them from continuing. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
- name: Kernel panic on oops - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
- name: Kernel panic on oops - Find all files that contain kernel.panic_on_oops
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.panic_on_oops\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
- name: Kernel panic on oops - Find all files that set kernel.panic_on_oops to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.panic_on_oops\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
- name: Kernel panic on oops - Comment out any occurrences of kernel.panic_on_oops
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.panic_on_oops
replace: '#kernel.panic_on_oops'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
- name: Kernel panic on oops - Comment out any occurrences of kernel.panic_on_oops
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.panic_on_oops
replace: '#kernel.panic_on_oops'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
- name: Kernel panic on oops - Ensure sysctl kernel.panic_on_oops is set to 1
ansible.posix.sysctl:
name: kernel.panic_on_oops
value: '1'
sysctl_file: /etc/sysctl.d/kernel_panic_on_oops.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_panic_on_oops
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.panic_on_oops" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_panic_on_oops.conf'
#
# Set runtime for kernel.panic_on_oops
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.panic_on_oops="1"
fi
#
# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.panic_on_oops = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.panic_on_oops")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.panic_on_oops\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.panic_on_oops\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Limit CPU consumption of the Perf system
[ref]ruleTo set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_cpu_time_max_percent = 1 Rationale:The kernel.perf_cpu_time_max_percent configures a threshold of
maximum percentile of CPU that can be used by Perf system. Restricting usage
of Perf system decreases risk of potential availability problems. Identifiers:
CCE-91257-6 References:
R9
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
- name: Limit CPU consumption of the Perf system - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
- name: Limit CPU consumption of the Perf system - Find all files that contain kernel.perf_cpu_time_max_percent
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_cpu_time_max_percent\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
- name: Limit CPU consumption of the Perf system - Find all files that set kernel.perf_cpu_time_max_percent
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_cpu_time_max_percent\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
- name: Limit CPU consumption of the Perf system - Comment out any occurrences of
kernel.perf_cpu_time_max_percent from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.perf_cpu_time_max_percent
replace: '#kernel.perf_cpu_time_max_percent'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
- name: Limit CPU consumption of the Perf system - Comment out any occurrences of
kernel.perf_cpu_time_max_percent from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.perf_cpu_time_max_percent
replace: '#kernel.perf_cpu_time_max_percent'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
- name: Limit CPU consumption of the Perf system - Ensure sysctl kernel.perf_cpu_time_max_percent
is set to 1
ansible.posix.sysctl:
name: kernel.perf_cpu_time_max_percent
value: '1'
sysctl_file: /etc/sysctl.d/kernel_perf_cpu_time_max_percent.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91257-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_cpu_time_max_percent
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.perf_cpu_time_max_percent" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_perf_cpu_time_max_percent.conf'
#
# Set runtime for kernel.perf_cpu_time_max_percent
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1"
fi
#
# If kernel.perf_cpu_time_max_percent present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.perf_cpu_time_max_percent = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_cpu_time_max_percent")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_cpu_time_max_percent\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_cpu_time_max_percent\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91257-6"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Limit sampling frequency of the Perf system
[ref]ruleTo set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_max_sample_rate = 1 Rationale:The kernel.perf_event_max_sample_rate parameter configures maximum
frequency of collecting of samples for the Perf system. It is expressed in
samples per second. Restricting usage of Perf system decreases risk
of potential availability problems. Identifiers:
CCE-91259-2 References:
R9
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Limit sampling frequency of the Perf system - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Limit sampling frequency of the Perf system - Find all files that contain
kernel.perf_event_max_sample_rate
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_event_max_sample_rate\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Limit sampling frequency of the Perf system - Find all files that set kernel.perf_event_max_sample_rate
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_event_max_sample_rate\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Limit sampling frequency of the Perf system - Comment out any occurrences
of kernel.perf_event_max_sample_rate from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.perf_event_max_sample_rate
replace: '#kernel.perf_event_max_sample_rate'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Limit sampling frequency of the Perf system - Comment out any occurrences
of kernel.perf_event_max_sample_rate from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.perf_event_max_sample_rate
replace: '#kernel.perf_event_max_sample_rate'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Limit sampling frequency of the Perf system - Ensure sysctl kernel.perf_event_max_sample_rate
is set to 1
ansible.posix.sysctl:
name: kernel.perf_event_max_sample_rate
value: '1'
sysctl_file: /etc/sysctl.d/kernel_perf_event_max_sample_rate.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.perf_event_max_sample_rate" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_perf_event_max_sample_rate.conf'
#
# Set runtime for kernel.perf_event_max_sample_rate
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1"
fi
#
# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_max_sample_rate")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_max_sample_rate\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_max_sample_rate\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91259-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disallow kernel profiling by unprivileged users
[ref]ruleTo set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 Rationale:Kernel profiling can reveal sensitive information about kernel behaviour. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Find all files that contain
kernel.perf_event_paranoid
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_event_paranoid\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Find all files that set
kernel.perf_event_paranoid to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_event_paranoid\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Comment out any occurrences
of kernel.perf_event_paranoid from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.perf_event_paranoid
replace: '#kernel.perf_event_paranoid'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Comment out any occurrences
of kernel.perf_event_paranoid from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.perf_event_paranoid
replace: '#kernel.perf_event_paranoid'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Ensure sysctl kernel.perf_event_paranoid
is set to 2
ansible.posix.sysctl:
name: kernel.perf_event_paranoid
value: '2'
sysctl_file: /etc/sysctl.d/kernel_perf_event_paranoid.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91258-4
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.perf_event_paranoid" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_perf_event_paranoid.conf'
#
# Set runtime for kernel.perf_event_paranoid
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2"
fi
#
# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2"
# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "2"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91258-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure maximum number of process identifiers
[ref]ruleTo set the runtime status of the kernel.pid_max kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.pid_max = 65536 Rationale:The kernel.pid_max parameter configures upper limit on process
identifiers (PID). If this number is not high enough, it might happen that
forking of new processes is not possible, because all available PIDs are
exhausted. Increasing this number enhances availability. Identifiers:
CCE-91260-0 References:
R9
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
- name: Configure maximum number of process identifiers - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
- name: Configure maximum number of process identifiers - Find all files that contain
kernel.pid_max
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.pid_max\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
- name: Configure maximum number of process identifiers - Find all files that set
kernel.pid_max to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.pid_max\s*=\s*65536$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
- name: Configure maximum number of process identifiers - Comment out any occurrences
of kernel.pid_max from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.pid_max
replace: '#kernel.pid_max'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
- name: Configure maximum number of process identifiers - Comment out any occurrences
of kernel.pid_max from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.pid_max
replace: '#kernel.pid_max'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
- name: Configure maximum number of process identifiers - Ensure sysctl kernel.pid_max
is set to 65536
ansible.posix.sysctl:
name: kernel.pid_max
value: '65536'
sysctl_file: /etc/sysctl.d/kernel_pid_max.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91260-0
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_pid_max
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.pid_max" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_pid_max.conf'
#
# Set runtime for kernel.pid_max
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.pid_max="65536"
fi
#
# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536"
# else, add "kernel.pid_max = 65536" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.pid_max")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "65536"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.pid_max\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.pid_max\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91260-0"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disallow magic SysRq key
[ref]ruleTo set the runtime status of the kernel.sysrq kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.sysrq = 0 Rationale:The Magic SysRq key allows sending certain commands directly to the running
kernel. It can dump various system and process information, potentially
revealing sensitive information. It can also reboot or shutdown the machine,
disturbing its availability. Identifiers:
CCE-91261-8 References:
R9
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
- name: Disallow magic SysRq key - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
- name: Disallow magic SysRq key - Find all files that contain kernel.sysrq
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.sysrq\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
- name: Disallow magic SysRq key - Find all files that set kernel.sysrq to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.sysrq\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
- name: Disallow magic SysRq key - Comment out any occurrences of kernel.sysrq from
config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.sysrq
replace: '#kernel.sysrq'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
- name: Disallow magic SysRq key - Comment out any occurrences of kernel.sysrq from
/etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.sysrq
replace: '#kernel.sysrq'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
- name: Disallow magic SysRq key - Ensure sysctl kernel.sysrq is set to 0
ansible.posix.sysctl:
name: kernel.sysrq
value: '0'
sysctl_file: /etc/sysctl.d/kernel_sysrq.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91261-8
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_sysrq
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.sysrq" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_sysrq.conf'
#
# Set runtime for kernel.sysrq
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.sysrq="0"
fi
#
# If kernel.sysrq present in /etc/sysctl.conf, change value to "0"
# else, add "kernel.sysrq = 0" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.sysrq")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.sysrq\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.sysrq\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91261-8"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Prevent applications from mapping low portion of virtual memory
[ref]ruleTo set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: vm.mmap_min_addr = 65536 Rationale:The vm.mmap_min_addr parameter specifies the minimum virtual
address that a process is allowed to mmap. Allowing a process to mmap low
portion of virtual memory can have security implications such as such as
heightened risk of kernel null pointer dereference defects. Identifiers:
CCE-91263-4 References:
R8
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
- name: Prevent applications from mapping low portion of virtual memory - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
- name: Prevent applications from mapping low portion of virtual memory - Find all
files that contain vm.mmap_min_addr
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*vm.mmap_min_addr\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
- name: Prevent applications from mapping low portion of virtual memory - Find all
files that set vm.mmap_min_addr to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*vm.mmap_min_addr\s*=\s*65536$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
- name: Prevent applications from mapping low portion of virtual memory - Comment
out any occurrences of vm.mmap_min_addr from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*vm.mmap_min_addr
replace: '#vm.mmap_min_addr'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
- name: Prevent applications from mapping low portion of virtual memory - Comment
out any occurrences of vm.mmap_min_addr from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*vm.mmap_min_addr
replace: '#vm.mmap_min_addr'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
- name: Prevent applications from mapping low portion of virtual memory - Ensure sysctl
vm.mmap_min_addr is set to 65536
ansible.posix.sysctl:
name: vm.mmap_min_addr
value: '65536'
sysctl_file: /etc/sysctl.d/vm_mmap_min_addr.conf
state: present
reload: true
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91263-4
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_vm_mmap_min_addr
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | true |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
# Comment out any occurrences of vm.mmap_min_addr from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*vm.mmap_min_addr.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "vm.mmap_min_addr" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/vm_mmap_min_addr.conf'
#
# Set runtime for vm.mmap_min_addr
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w vm.mmap_min_addr="65536"
fi
#
# If vm.mmap_min_addr present in /etc/sysctl.conf, change value to "65536"
# else, add "vm.mmap_min_addr = 65536" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^vm.mmap_min_addr")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "65536"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^vm.mmap_min_addr\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^vm.mmap_min_addr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91263-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
SELinux
[ref]groupSELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs.
SELinux enforces the idea that programs should be limited in what
files they can access and what actions they can take.
The default SELinux policy, as configured on SUSE Linux Enterprise 15, has been
sufficiently developed and debugged that it should be usable on
almost any system with minimal configuration and a small
amount of system administrator training. This policy prevents
system services - including most of the common network-visible
services such as mail servers, FTP servers, and DNS servers - from
accessing files which those services have no valid reason to
access. This action alone prevents a huge amount of possible damage
from network attacks against services, from trojaned software, and
so forth.
This guide recommends that SELinux be enabled using the
default (targeted) policy on every SUSE Linux Enterprise 15 system, unless that
system has unusual requirements which make a stronger policy
appropriate. |
| contains 8 rules |
SELinux - Booleans
[ref]groupEnable or Disable runtime customization of SELinux system policies
without having to reload or recompile the SELinux policy. |
| contains 1 rule |
Configure the polyinstantiation_enabled SELinux Boolean
[ref]ruleBy default, the SELinux boolean polyinstantiation_enabled is disabled.
This setting should be configured to true.
To set the polyinstantiation_enabled SELinux boolean, run the following command:
$ sudo setsebool -P polyinstantiation_enabled true Rationale:Identifiers:
CCE-91238-6 References:
R55
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91238-6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sebool_polyinstantiation_enabled
- name: Configure the polyinstantiation_enabled SELinux Boolean - Ensure libsemanage2
Installed
ansible.builtin.package:
name: libsemanage2
state: present
when:
- ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline or lookup("env", "container") == "bwrap-osbuild"
or ansible_facts.selinux.status != "disabled" )
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91238-6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sebool_polyinstantiation_enabled
- name: Configure the polyinstantiation_enabled SELinux Boolean - Ensure Additional
Packages Installed
become: true
ansible.builtin.package:
name:
- policycoreutils-python-utils
- selinux-tools
- python3-selinux
- python3-semanage
state: present
when:
- ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline or lookup("env", "container") == "bwrap-osbuild"
or ansible_facts.selinux.status != "disabled" )
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91238-6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sebool_polyinstantiation_enabled
- name: XCCDF Value var_polyinstantiation_enabled # promote to variable
set_fact:
var_polyinstantiation_enabled: !!str true
tags:
- always
- name: Configure the polyinstantiation_enabled SELinux Boolean - Set SELinux Boolean
polyinstantiation_enabled Accordingly
ansible.posix.seboolean:
name: polyinstantiation_enabled
state: '{{ var_polyinstantiation_enabled }}'
persistent: true
when:
- ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline or lookup("env", "container") == "bwrap-osbuild"
or ansible_facts.selinux.status != "disabled" )
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91238-6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sebool_polyinstantiation_enabled
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) || [ "${container:-}" == "bwrap-osbuild" ] || selinuxenabled ) && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
zypper install -y "libsemanage2"
# Workaround for https://github.com/OpenSCAP/openscap/issues/2242: Use full
# path to setsebool command to avoid the issue with the command not being
# found.
var_polyinstantiation_enabled='true'
/usr/sbin/setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns /etc/selinux Directory
[ref]rule To properly set the group owner of /etc/selinux, run the command:
$ sudo chgrp root /etc/selinux
Rationale:The ownership of the /etc/selinux directory by the root group is important
because this directory hosts SELinux configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the SELinux configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92501-6
- configure_strategy
- directory_groupowner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- directory_groupowner_etc_selinux_newgroup is undefined
tags:
- CCE-92501-6
- configure_strategy
- directory_groupowner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_groupowner_etc_selinux_newgroup variable if root found
ansible.builtin.set_fact:
directory_groupowner_etc_selinux_newgroup: root
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ansible_facts.getent_group["root"] is defined
tags:
- CCE-92501-6
- configure_strategy
- directory_groupowner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/selinux/
ansible.builtin.file:
path: /etc/selinux/
follow: false
state: directory
group: '{{ directory_groupowner_etc_selinux_newgroup }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92501-6
- configure_strategy
- directory_groupowner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
find -P /etc/selinux/ -maxdepth 0 -type d ! -group root -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/selinux Directory
[ref]rule To properly set the owner of /etc/selinux, run the command:
$ sudo chown root /etc/selinux
Rationale:The ownership of the /etc/selinux directory by the root user is important
because this directory hosts SELinux configuration. Protection of this
directory is critical for system security. Assigning the ownership to root
ensures exclusive control of the SELinux configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92510-7
- configure_strategy
- directory_owner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the directory_owner_etc_selinux_newown variable if represented by uid
ansible.builtin.set_fact:
directory_owner_etc_selinux_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92510-7
- configure_strategy
- directory_owner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/selinux/
ansible.builtin.file:
path: /etc/selinux/
follow: false
state: directory
owner: '{{ directory_owner_etc_selinux_newown }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92510-7
- configure_strategy
- directory_owner_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/selinux/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/selinux Directory
[ref]rule To properly set the permissions of /etc/selinux, run the command: $ sudo chmod 0755 /etc/selinux Rationale:Setting correct permissions on the /etc/selinux directory is important
because this directory hosts SELinux configuration. Protection of this
directory is critical for system security. Restricting the permissions
ensures exclusive control of the SELinux configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92524-8
- configure_strategy
- directory_permissions_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/selinux/ file(s)
ansible.builtin.command: 'find -P /etc/selinux/ -maxdepth 0 -perm /u+s,g+ws,o+wt -type
d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92524-8
- configure_strategy
- directory_permissions_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/selinux/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-ws,o-wt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-92524-8
- configure_strategy
- directory_permissions_etc_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
find -H /etc/selinux/ -maxdepth 0 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns /etc/sestatus.conf File
[ref]rule To properly set the group owner of /etc/sestatus.conf, run the command:
$ sudo chgrp root /etc/sestatus.conf
Rationale:The ownership of the /etc/sestatus.conf file by the root group is important
because this file hosts SELinux configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the SELinux configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_groupowner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the root group is defined
ansible.builtin.getent:
database: group
key: root
ignore_errors: true
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_groupowner_etc_sestatus_conf_newgroup is undefined
tags:
- configure_strategy
- file_groupowner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_sestatus_conf_newgroup variable if root found
ansible.builtin.set_fact:
file_groupowner_etc_sestatus_conf_newgroup: root
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- ansible_facts.getent_group["root"] is defined
tags:
- configure_strategy
- file_groupowner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sestatus.conf
ansible.builtin.stat:
path: /etc/sestatus.conf
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupowner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/sestatus.conf
ansible.builtin.file:
path: /etc/sestatus.conf
follow: false
group: '{{ file_groupowner_etc_sestatus_conf_newgroup }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_groupowner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newgroup=""
if getent group "root" >/dev/null 2>&1; then
newgroup="root"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "root is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/sestatus.conf" | grep -E -w -q "root"; then
chgrp --no-dereference "$newgroup" /etc/sestatus.conf
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify User Who Owns /etc/sestatus.conf File
[ref]rule To properly set the owner of /etc/sestatus.conf, run the command:
$ sudo chown root /etc/sestatus.conf
Rationale:The ownership of the /etc/sestatus.conf file by the root user is important
because this file hosts SELinux configuration. Protection of this
file is critical for system security. Assigning the ownership to root
ensures exclusive control of the SELinux configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_owner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_sestatus_conf_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_sestatus_conf_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sestatus.conf
ansible.builtin.stat:
path: /etc/sestatus.conf
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/sestatus.conf
ansible.builtin.file:
path: /etc/sestatus.conf
follow: false
owner: '{{ file_owner_etc_sestatus_conf_newown }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_owner_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/sestatus.conf" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/sestatus.conf
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/sestatus.conf File
[ref]rule To properly set the permissions of /etc/sestatus.conf, run the command: $ sudo chmod 0644 /etc/sestatus.conf Rationale:Setting correct permissions on the /etc/sestatus.conf file is important
because this file hosts SELinux configuration. Protection of this
file is critical for system security. Restricting the permissions
ensures exclusive control of the SELinux configuration. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_permissions_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sestatus.conf
ansible.builtin.stat:
path: /etc/sestatus.conf
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_permissions_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/sestatus.conf
ansible.builtin.file:
path: /etc/sestatus.conf
mode: u-xs,g-xws,o-xwt
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_permissions_etc_sestatus_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
chmod u-xs,g-xws,o-xwt /etc/sestatus.conf
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure SELinux State is Enforcing
[ref]ruleThe SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
Ensure that all files have correct SELinux labels by running:
fixfiles onboot
Then reboot the system.Rationale:Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. Identifiers:
CCE-91446-5 References:
1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, FMT_MOF_EXT.1, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, R37, R79, APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21, 1409, 1.2.6, 1.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91446-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: XCCDF Value var_selinux_state # promote to variable
set_fact:
var_selinux_state: !!str enforcing
tags:
- always
- name: Ensure SELinux State is Enforcing - Check current SELinux state
ansible.builtin.command:
cmd: getenforce
register: current_selinux_state
check_mode: false
changed_when: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91446-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
line: SELINUX={{ var_selinux_state }}
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91446-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing - Mark system to relabel SELinux on next
boot
ansible.builtin.file:
path: /.autorelabel
state: touch
access_time: preserve
modification_time: preserve
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- current_selinux_state.stdout | lower != var_selinux_state
tags:
- CCE-91446-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
var_selinux_state='enforcing'
if [ -e "/etc/selinux/config" ] ; then
LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
else
touch "/etc/selinux/config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/selinux/config"
cp "/etc/selinux/config" "/etc/selinux/config.bak"
# Insert at the end of the file
printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"
fixfiles onboot
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Services
[ref]groupThe best protection against vulnerable software is running less software. This section describes how to review
the software which SUSE Linux Enterprise 15 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default SUSE Linux Enterprise 15 system and provides guidance about which
ones can be safely disabled.
SUSE Linux Enterprise 15 provides a convenient minimal install option that essentially installs the bare necessities for a functional
system. When building SUSE Linux Enterprise 15 systems, it is highly recommended to select the minimal packages and then build up
the system from there. |
| contains 32 rules |
The Dynamic Host Configuration Protocol (DHCP) allows
systems to request and obtain an IP address and other configuration
parameters from a server.
This guide recommends configuring networking on clients by manually editing
the appropriate files under /etc/sysconfig. Use of DHCP can make client
systems vulnerable to compromise by rogue DHCP servers, and should be avoided
unless necessary. If using DHCP is necessary, however, there are best practices
that should be followed to minimize security risk. |
| contains 1 rule |
Disable DHCP Server
[ref]groupThe DHCP server dhcpd is not installed or activated by
default. If the software was installed and activated, but the
system does not need to act as a DHCP server, it should be disabled
and removed. |
| contains 1 rule |
Uninstall DHCP Server Package
[ref]ruleIf the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp-server package can be removed with the following command:
$ sudo zypper remove dhcp-server Rationale:Removing the DHCP server ensures that it cannot be easily or
accidentally reactivated and disrupt network operation. Identifiers:
CCE-85759-9 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.5, R62, SLES-15-300150045, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_dhcp-server
class remove_dhcp-server {
package { 'dhcp-server':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall DHCP Server Package: Ensure dhcp-server is removed'
ansible.builtin.package:
name: dhcp-server
state: absent
tags:
- CCE-85759-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_dhcp_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove dhcp-server
# from the system, and may remove any packages
# that depend on dhcp-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "dhcp-server"
|
Mail Server Software
[ref]groupMail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that systems are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
Very few systems at any site should be configured to directly receive email over the
network. Users should instead use mail client programs to retrieve email
from a central server that supports protocols such as IMAP or POP3.
However, it is normal for most systems to be independently capable of sending email,
for instance so that cron jobs can report output to an administrator.
Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
the local system to a central site MTA (or directly delivered to a local account),
but the system still cannot receive mail directly over a network.
The alternatives program in SUSE Linux Enterprise 15 permits selection of other mail server software
(such as Sendmail), but Postfix is the default and is preferred.
Postfix was coded with security in mind and can also be more effectively contained by
SELinux as its modular design has resulted in separate processes performing specific actions.
More information is available on its website,
http://www.postfix.org. |
| contains 3 rules |
Configure SMTP For Mail Clients
[ref]groupThis section discusses settings for Postfix in a submission-only
e-mail configuration. |
| contains 2 rules |
Configure System to Forward All Mail For The Root Account
[ref]ruleMake sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
change_me@localhost is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: change_me@localhost" >> /etc/aliases
$ sudo newaliases Rationale:A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues. These messages must
be forwarded to at least one monitored email address. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85605-4
- DISA-STIG-SLES-15-030580
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_client_configure_mail_alias
- name: XCCDF Value var_postfix_root_mail_alias # promote to variable
set_fact:
var_postfix_root_mail_alias: !!str change_me@localhost
tags:
- always
- name: Configure System to Forward All Mail For The Root Account - Make sure that
"/etc/aliases" has a defined value for root
ansible.builtin.lineinfile:
path: /etc/aliases
line: 'root: {{ var_postfix_root_mail_alias }}'
regexp: ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$
create: true
state: present
register: aliases_root_mail_alias_changed
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85605-4
- DISA-STIG-SLES-15-030580
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_client_configure_mail_alias
- name: Configure System to Forward All Mail For The Root Account - Check if newaliases
command is available
ansible.builtin.stat:
path: /usr/bin/newaliases
register: result_newaliases_present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85605-4
- DISA-STIG-SLES-15-030580
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_client_configure_mail_alias
- name: Configure System to Forward All Mail For The Root Account - Update postfix
aliases
ansible.builtin.command:
cmd: newaliases
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- aliases_root_mail_alias_changed is changed
- result_newaliases_present.stat.exists
tags:
- CCE-85605-4
- DISA-STIG-SLES-15-030580
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_client_configure_mail_alias
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
var_postfix_root_mail_alias='change_me@localhost'
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^root")
# shellcheck disable=SC2059
printf -v formatted_output "%s: %s" "$stripped_key" "$var_postfix_root_mail_alias"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^root\\>" "/etc/aliases"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^root\\>.*/$escaped_formatted_output/gi" "/etc/aliases"
else
if [[ -s "/etc/aliases" ]] && [[ -n "$(tail -c 1 -- "/etc/aliases" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/aliases"
fi
cce="CCE-85605-4"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/aliases" >> "/etc/aliases"
printf '%s\n' "$formatted_output" >> "/etc/aliases"
fi
if [ -f /usr/bin/newaliases ]; then
newaliases
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Disable Postfix Network Listening
[ref]ruleEdit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces = loopback-only Rationale:This ensures postfix accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack. Identifiers:
CCE-91280-8 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.16, R74, SLES-15-300150330, 1.4.2, 1.4
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91280-8
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_network_listening_disabled
- restrict_strategy
- name: XCCDF Value var_postfix_inet_interfaces # promote to variable
set_fact:
var_postfix_inet_interfaces: !!str loopback-only
tags:
- always
- name: Gather list of packages
ansible.builtin.package_facts:
manager: auto
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"postfix" in ansible_facts.packages'
tags:
- CCE-91280-8
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_network_listening_disabled
- restrict_strategy
- name: Make changes to Postfix configuration file
ansible.builtin.lineinfile:
path: /etc/postfix/main.cf
create: false
regexp: (?i)^inet_interfaces\s*=\s.*
line: inet_interfaces = {{ var_postfix_inet_interfaces }}
state: present
insertafter: ^inet_interfaces\s*=\s.*
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"postfix" in ansible_facts.packages'
- '"postfix" in ansible_facts.packages'
tags:
- CCE-91280-8
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_network_listening_disabled
- restrict_strategy
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q postfix; }; then
var_postfix_inet_interfaces='loopback-only'
if [ -e "/etc/postfix/main.cf" ] ; then
LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf"
else
touch "/etc/postfix/main.cf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/postfix/main.cf"
cp "/etc/postfix/main.cf" "/etc/postfix/main.cf.bak"
# Insert at the end of the file
printf '%s\n' "inet_interfaces=$var_postfix_inet_interfaces" >> "/etc/postfix/main.cf"
# Clean up after ourselves.
rm "/etc/postfix/main.cf.bak"
systemctl restart postfix
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Uninstall Sendmail Package
[ref]ruleSendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo zypper remove sendmail Rationale:The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead. Identifiers:
CCE-85761-5 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, R62
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_sendmail
class remove_sendmail {
package { 'sendmail':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85761-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sendmail_removed
- name: 'Uninstall Sendmail Package: Ensure sendmail is removed'
ansible.builtin.package:
name: sendmail
state: absent
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85761-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sendmail_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# CAUTION: This remediation script will remove sendmail
# from the system, and may remove any packages
# that depend on sendmail. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "sendmail"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Network Time Protocol
[ref]groupThe Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of systems, and that their time is consistent with the
outside world.
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a public timeserver (or one
provided by your enterprise) provides globally accurate timestamps which may be
essential in investigating or responding to an attack which originated outside
of your network.
A typical network setup involves a small number of internal systems operating
as NTP servers, and the remainder obtaining time information from those
internal servers.
There is a choice between the daemons ntpd and chronyd, which
are available from the repositories in the ntp and chrony
packages respectively.
The default chronyd daemon can work well when external time references
are only intermittently accessible, can perform well even when the network is
congested for longer periods of time, can usually synchronize the clock faster
and with better time accuracy, and quickly adapts to sudden changes in the rate
of the clock, for example, due to changes in the temperature of the crystal
oscillator. Chronyd should be considered for all systems which are
frequently suspended or otherwise intermittently disconnected and reconnected
to a network. Mobile and virtual systems for example.
The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905),
including broadcast, multicast, manycast clients and servers, and the orphan
mode. It also supports extra authentication schemes based on public-key
cryptography (RFC 5906). The NTP daemon (ntpd) should be considered
for systems which are normally kept permanently on. Systems which are required
to use broadcast or multicast IP, or to perform authentication of packets with
the Autokey protocol, should consider using ntpd.
Refer to
https://en.wikipedia.org/wiki/Network_Time_Protocol
for more detailed comparison of features of chronyd
and ntpd daemon features respectively, and for further guidance how to
choose between the two NTP daemons.
The upstream manual pages at
https://chrony-project.org/documentation.html for
chronyd and
http://www.ntp.org for ntpd provide additional
information on the capabilities and configuration of each of the NTP daemons. |
| contains 2 rules |
Verify User Who Owns /etc/chrony.keys File
[ref]rule To properly set the owner of /etc/chrony.keys, run the command:
$ sudo chown root /etc/chrony.keys
Rationale:The ownership of the /etc/chrony.keys file by the chrony user is important
because this file hosts chrony cryptographic keys. Protection
of this file is critical for system security. Assigning the ownership to
chrony ensures exclusive control of the chrony cryptographic keys. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_owner_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_chrony_keys_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_chrony_keys_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/chrony.keys
ansible.builtin.stat:
path: /etc/chrony.keys
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_owner_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/chrony.keys
ansible.builtin.file:
path: /etc/chrony.keys
follow: false
owner: '{{ file_owner_etc_chrony_keys_newown }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_owner_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/chrony.keys" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/chrony.keys
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions On /etc/chrony.keys File
[ref]rule To properly set the permissions of /etc/chrony.keys, run the command: $ sudo chmod 0640 /etc/chrony.keys Rationale:Setting correct permissions on the /etc/chrony.keys file is important
because this file hosts chrony cryptographic keys. Protection
of this file is critical for system security. Assigning the correct mode
ensures exclusive control of the chrony cryptographic keys. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_permissions_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/chrony.keys
ansible.builtin.stat:
path: /etc/chrony.keys
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_permissions_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/chrony.keys
ansible.builtin.file:
path: /etc/chrony.keys
mode: u-xs,g-xws,o-xwrt
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- configure_strategy
- file_permissions_etc_chrony_keys
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
chmod u-xs,g-xws,o-xwrt /etc/chrony.keys
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Obsolete Services
[ref]groupThis section discusses a number of network-visible
services which have historically caused problems for system
security, and for which disabling or severely limiting the service
has been the best available guidance for some time. As a result of
this, many of these services are not installed as part of SUSE Linux Enterprise 15
by default.
Organizations which are running these services should
switch to more secure equivalents as soon as possible.
If it remains absolutely necessary to run one of
these services for legacy reasons, care should be taken to restrict
the service as much as possible, for instance by configuring host
firewall software such as iptables to restrict access to the
vulnerable service to only those remote hosts which have a known
need to use it. |
| contains 11 rules |
Xinetd
[ref]groupThe xinetd service acts as a dedicated listener for some
network services (mostly, obsolete ones) and can be used to provide access
controls and perform some logging. It has been largely obsoleted by other
features, and it is not installed by default. The older Inetd service
is not even available as part of SUSE Linux Enterprise 15. |
| contains 1 rule |
Uninstall xinetd Package
[ref]ruleThe xinetd package can be removed with the following command:
$ sudo zypper remove xinetd Rationale:Removing the xinetd package decreases the risk of the
xinetd service's accidental (or intentional) activation. Identifiers:
CCE-91436-6 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.1.1, R62, SLES-15-300150300, 1409, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_xinetd
class remove_xinetd {
package { 'xinetd':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91436-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_xinetd_removed
- name: 'Uninstall xinetd Package: Ensure xinetd is removed'
ansible.builtin.package:
name: xinetd
state: absent
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91436-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_xinetd_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# CAUTION: This remediation script will remove xinetd
# from the system, and may remove any packages
# that depend on xinetd. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "xinetd"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
The Network Information Service (NIS), also known as 'Yellow
Pages' (YP), and its successor NIS+ have been made obsolete by
Kerberos, LDAP, and other modern centralized authentication
services. NIS should not be used because it suffers from security
problems inherent in its design, such as inadequate protection of
important authentication information. |
| contains 2 rules |
Remove NIS Client
[ref]ruleThe Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client (ypbind) was used to bind a system to an NIS server
and receive the distributed configuration files. Rationale:The NIS service is inherently an insecure system that has been vulnerable
to DOS attacks, buffer overflows and has poor authentication for querying
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed. Identifiers:
CCE-91159-4 References:
164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.3.1, R62, SLES-15-300300045, 1409, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_ypbind
class remove_ypbind {
package { 'ypbind':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Remove NIS Client: Ensure ypbind is removed'
ansible.builtin.package:
name: ypbind
state: absent
tags:
- CCE-91159-4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_ypbind_removed
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove ypbind
# from the system, and may remove any packages
# that depend on ypbind. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "ypbind"
|
Uninstall ypserv Package
[ref]ruleThe ypserv package can be removed with the following command:
$ sudo zypper remove ypserv Rationale:The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
remote session.
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. Identifiers:
CCE-91160-2 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, SRG-OS-000095-GPOS-00049, 2.2.18, R62, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_ypserv
class remove_ypserv {
package { 'ypserv':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall ypserv Package: Ensure ypserv is removed'
ansible.builtin.package:
name: ypserv
state: absent
tags:
- CCE-91160-2
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- PCI-DSS-Req-2.2.2
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_ypserv_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove ypserv
# from the system, and may remove any packages
# that depend on ypserv. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "ypserv"
|
Rlogin, Rsh, and Rexec
[ref]groupThe Berkeley r-commands are legacy services which
allow cleartext remote access and have an insecure trust
model. |
| contains 2 rules |
Uninstall rsh-server Package
[ref]ruleThe rsh-server package can be removed with the following command:
$ sudo zypper remove rsh-server Rationale:The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. Identifiers:
CCE-91425-9 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, R62, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_rsh-server
class remove_rsh-server {
package { 'rsh-server':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall rsh-server Package: Ensure rsh-server is removed'
ansible.builtin.package:
name: rsh-server
state: absent
tags:
- CCE-91425-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_rsh-server_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove rsh-server
# from the system, and may remove any packages
# that depend on rsh-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "rsh-server"
|
Uninstall rsh Package
[ref]rule
The rsh package contains the client commands
for the rsh services Rationale:These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the rsh package removes
the clients for rsh,rcp, and rlogin. Identifiers:
CCE-85760-7 References:
3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.2, R62, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_rsh
class remove_rsh {
package { 'rsh':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall rsh Package: Ensure rsh is removed'
ansible.builtin.package:
name: rsh
state: absent
tags:
- CCE-85760-7
- NIST-800-171-3.1.13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_rsh_removed
- unknown_severity
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove rsh
# from the system, and may remove any packages
# that depend on rsh. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "rsh"
|
Chat/Messaging Services
[ref]groupThe talk software makes it possible for users to send and receive messages
across systems through a terminal session. |
| contains 2 rules |
Uninstall talk-server Package
[ref]ruleThe talk-server package can be removed with the following command: $ sudo zypper remove talk-server Rationale:The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk-server package decreases the
risk of the accidental (or intentional) activation of talk services. Remediation Puppet snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_talk-server
class remove_talk-server {
package { 'talk-server':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall talk-server Package: Ensure talk-server is removed'
ansible.builtin.package:
name: talk-server
state: absent
tags:
- CCE-91433-3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_talk-server_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove talk-server
# from the system, and may remove any packages
# that depend on talk-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "talk-server"
|
Uninstall talk Package
[ref]ruleThe talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo zypper remove talk Rationale:The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk package decreases the
risk of the accidental (or intentional) activation of talk client program. Remediation Puppet snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_talk
class remove_talk {
package { 'talk':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall talk Package: Ensure talk is removed'
ansible.builtin.package:
name: talk
state: absent
tags:
- CCE-91432-5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_talk_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove talk
# from the system, and may remove any packages
# that depend on talk. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "talk"
|
Telnet
[ref]groupThe telnet protocol does not provide confidentiality or integrity
for information transmitted on the network. This includes authentication
information such as passwords. Organizations which use telnet should be
actively working to migrate to a more secure protocol. |
| contains 2 rules |
Uninstall telnet-server Package
[ref]ruleThe telnet-server package can be removed with the following command:
$ sudo zypper remove telnet-server Rationale:It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
insecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. Identifiers:
CCE-83273-3 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, SRG-OS-000095-GPOS-00049, SLES-15-010180, 2.2.19, R62, SLES-15-300150240, 1409, 2.2.4, 2.2, SV-234818r987796_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_telnet-server
class remove_telnet-server {
package { 'telnet-server':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall telnet-server Package: Ensure telnet-server is removed'
ansible.builtin.package:
name: telnet-server
state: absent
tags:
- CCE-83273-3
- DISA-STIG-SLES-15-010180
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.2
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_telnet-server_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove telnet-server
# from the system, and may remove any packages
# that depend on telnet-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "telnet-server"
|
Remove telnet Clients
[ref]ruleThe telnet client allows users to start connections to other systems via
the telnet protocol. Rationale:The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in SUSE Linux Enterprise 15. Identifiers:
CCE-91434-1 References:
3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.4, R62, SLES-15-300300060, 1409, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_telnet
class remove_telnet {
package { 'telnet':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Remove telnet Clients: Ensure telnet is removed'
ansible.builtin.package:
name: telnet
state: absent
tags:
- CCE-91434-1
- NIST-800-171-3.1.13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_telnet_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove telnet
# from the system, and may remove any packages
# that depend on telnet. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "telnet"
|
TFTP Server
[ref]groupTFTP is a lightweight version of the FTP protocol which has
traditionally been used to configure networking equipment. However,
TFTP provides little security, and modern versions of networking
operating systems frequently support configuration via SSH or other
more secure protocols. A TFTP server should be run only if no more
secure method of supporting existing equipment can be
found. |
| contains 2 rules |
Uninstall tftp-server Package
[ref]ruleThe tftp-server package can be removed with the following command: $ sudo zypper remove tftp-server Rationale:Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Security Manager (ISSM), restricted to only authorized personnel, and have
access control rules established. Identifiers:
CCE-91227-9 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, R62, SLES-15-300150255, 2.2.4, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_tftp-server
class remove_tftp-server {
package { 'tftp-server':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Uninstall tftp-server Package: Ensure tftp-server is removed'
ansible.builtin.package:
name: tftp-server
state: absent
tags:
- CCE-91227-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_tftp-server_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove tftp-server
# from the system, and may remove any packages
# that depend on tftp-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "tftp-server"
|
Remove tftp Daemon
[ref]ruleTrivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
tftp is a client program that allows for connections to a tftp server. Rationale:It is recommended that TFTP be removed, unless there is a specific need
for TFTP (such as a boot server). In that case, use extreme caution when configuring
the services. Remediation Puppet snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
include remove_tftp
class remove_tftp {
package { 'tftp':
ensure => 'purged',
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
- name: 'Remove tftp Daemon: Ensure tftp is removed'
ansible.builtin.package:
name: tftp
state: absent
tags:
- CCE-91158-6
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_tftp_removed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove tftp
# from the system, and may remove any packages
# that depend on tftp. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "tftp"
|
SSH Server
[ref]groupThe SSH protocol is recommended for remote login and
remote file transfer. SSH provides confidentiality and integrity
for data exchanged between two systems, as well as server
authentication, through the use of public key cryptography. The
implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
https://www.openssh.com.
Its server program is called sshd and provided by the RPM package
openssh-server. |
| contains 10 rules |
Configure OpenSSH Server if Necessary
[ref]groupIf the system needs to act as an SSH server, then
certain changes should be made to the OpenSSH daemon configuration
file /etc/ssh/sshd_config. The following recommendations can be
applied to this file. See the sshd_config(5) man page for more
detailed information. |
| contains 1 rule |
Disable SSH Root Login
[ref]ruleThe root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no Rationale:Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. Identifiers:
CCE-85557-7 References:
1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, SLES-15-020040, 5.2.10, R33, SLES-15-600150300, 1546, 2.2.6, 2.2, SV-234870r1009618_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85557-7
- CJIS-5.5.6
- DISA-STIG-SLES-15-020040
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitRootLogin\s+
line: PermitRootLogin no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85557-7
- CJIS-5.5.6
- DISA-STIG-SLES-15-020040
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Who Owns SSH Server config file
[ref]rule
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config
Rationale:Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. Identifiers:
CCE-91392-1 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1, R50, SLES-15-600150015
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91392-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_sshd_config_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_sshd_config_newgroup: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91392-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ssh/sshd_config
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91392-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ssh/sshd_config
ansible.builtin.file:
path: /etc/ssh/sshd_config
follow: false
group: '{{ file_groupowner_sshd_config_newgroup }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-91392-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/ssh/sshd_config" | grep -E -w -q "0"; then
chgrp --no-dereference "$newgroup" /etc/ssh/sshd_config
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Ownership on SSH Server Private *_key Key Files
[ref]ruleSSH server private keys, files that match the /etc/ssh/*_key glob, must be
group-owned by root group. Warning:
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. If an unauthorized user obtains the private SSH host key file, the host could be impersonated. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupownership_sshd_private_key_newgroup variable if represented
by gid
ansible.builtin.set_fact:
file_groupownership_sshd_private_key_newgroup: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype
posix-extended -regex "^.*_key$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.file:
path: '{{ item }}'
follow: false
group: '{{ file_groupownership_sshd_private_key_newgroup }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*_key$' -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Group Ownership on SSH Server Public *.pub Key Files
[ref]ruleSSH server public keys, files that match the /etc/ssh/*.pub glob, must be
group-owned by root group. Warning:
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupownership_sshd_pub_key_newgroup variable if represented
by gid
ansible.builtin.set_fact:
file_groupownership_sshd_pub_key_newgroup: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype
posix-extended -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.file:
path: '{{ item }}'
follow: false
group: '{{ file_groupownership_sshd_pub_key_newgroup }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newgroup=""
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z "${newgroup}" ]]; then
>&2 echo "0 is not a defined group on the system"
else
find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*\.pub$' -exec chgrp --no-dereference "$newgroup" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Owner on SSH Server config file
[ref]rule
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config
Rationale:Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. Identifiers:
CCE-91393-9 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1, R50, SLES-15-600150015
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91393-9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_sshd_config_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_sshd_config_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91393-9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ssh/sshd_config
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91393-9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/sshd_config
ansible.builtin.file:
path: /etc/ssh/sshd_config
follow: false
owner: '{{ file_owner_sshd_config_newown }}'
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-91393-9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
if ! stat -c "%u %U" "/etc/ssh/sshd_config" | grep -E -w -q "0"; then
chown --no-dereference "$newown" /etc/ssh/sshd_config
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Ownership on SSH Server Private *_key Key Files
[ref]ruleSSH server private keys, files that match the /etc/ssh/*_key glob, must be owned
by root user. Warning:
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. If an unauthorized user obtains the private SSH host key file, the host could be impersonated. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_ownership_sshd_private_key_newown variable if represented by
uid
ansible.builtin.set_fact:
file_ownership_sshd_private_key_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype
posix-extended -regex "^.*_key$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_sshd_private_key_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*_key$' -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Ownership on SSH Server Public *.pub Key Files
[ref]ruleSSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned
by root user. Warning:
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. Remediation Ansible snippet: (show)
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_ownership_sshd_pub_key_newown variable if represented by uid
ansible.builtin.set_fact:
file_ownership_sshd_pub_key_newown: '0'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype
posix-extended -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_sshd_pub_key_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
newown=""
if id "0" >/dev/null 2>&1; then
newown="0"
fi
if [[ -z "$newown" ]]; then
>&2 echo "0 is not a defined user on the system"
else
find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*\.pub$' -exec chown --no-dereference "$newown" {} \;
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions on SSH Server config file
[ref]rule
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config Rationale:Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. Identifiers:
CCE-91306-1 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1, R50, SLES-15-600150015, 2.2.6, 2.2
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91306-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ssh/sshd_config
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: file_exists
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-91306-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config
ansible.builtin.file:
path: /etc/ssh/sshd_config
mode: u-xs,g-xwrs,o-xwrt
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-91306-1
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions on SSH Server Private *_key Key Files
[ref]ruleSSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter. Warning:
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. If an unauthorized user obtains the private SSH host key file, the host could be
impersonated. Identifiers:
CCE-85644-3 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, SRG-OS-000480-GPOS-00227, SLES-15-040250, 5.2.2, R50, SLES-15-600150030, 1449, 2.2.6, 2.2, SV-235009r991589_rule
include ssh_private_key_perms
class ssh_private_key_perms {
exec { 'sshd_priv_key':
command => "chmod 0640 /etc/ssh/*_key",
path => '/bin:/usr/bin'
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85644-3
- DISA-STIG-SLES-15-040250
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find root:root-owned keys
ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$"
-type f -group root -perm /u+xs,g+xws,o+xwrt
register: root_owned_keys
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85644-3
- DISA-STIG-SLES-15-040250
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for root:root-owned keys
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ root_owned_keys.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85644-3
- DISA-STIG-SLES-15-040250
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
for keyfile in /etc/ssh/*_key; do
test -f "$keyfile" || continue
if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then
chmod u-xs,g-xws,o-xwrt "$keyfile"
else
echo "Key-like file '$keyfile' is owned by an unexpected user:group combination"
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Verify Permissions on SSH Server Public *.pub Key Files
[ref]rule To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub Warning:
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. Identifiers:
CCE-85643-5 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, SRG-OS-000480-GPOS-00227, SLES-15-040240, 5.2.3, R50, 2.2.6, 2.2, SV-235008r991589_rule
include ssh_public_key_perms
class ssh_public_key_perms {
exec { 'sshd_pub_key':
command => "chmod 0644 /etc/ssh/*.pub",
path => '/bin:/usr/bin'
}
}
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85643-5
- DISA-STIG-SLES-15-040240
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s)
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type
f -regextype posix-extended -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85643-5
- DISA-STIG-SLES-15-040240
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/ssh/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85643-5
- DISA-STIG-SLES-15-040240
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then
find -P /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
System Security Services Daemon
[ref]groupThe System Security Services Daemon (SSSD) is a system daemon that provides access
to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
servers permit offline authentication as well as store extended user data.
For more information, see |
| contains 5 rules |
System Security Services Daemon (SSSD) - LDAP
[ref]groupThe System Security Services Daemon (SSSD) is a system daemon that provides access
to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
servers permit offline authentication as well as store extended user data.
SSSD can support many backends including LDAP. The sssd-ldap backend
allows SSSD to fetch identity information from an LDAP server. |
| contains 2 rules |
Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server
[ref]ruleConfigure SSSD to demand a valid certificate from the server to
protect the integrity of LDAP remote access sessions by setting
the ldap_tls_reqcert option in /etc/sssd/sssd.conf
to demand.Rationale:Without a valid certificate presented to the LDAP client backend, the identity of a
server can be forged compromising LDAP remote access sessions. |
Configure SSSD LDAP Backend to Use TLS For All Transactions
[ref]ruleThe LDAP client should be configured to implement TLS for the integrity
of all remote LDAP authentication sessions. If the id_provider is
set to ldap or ipa in /etc/sssd/sssd.conf or any of the
/etc/sssd/sssd.conf.d configuration files, ldap_id_use_start_tls
must be set to true.
To check if LDAP is configured to use TLS when id_provider is
set to ldap or ipa, use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf Rationale:Without cryptographic integrity protections, information can be
altered by unauthorized users without detection. The ssl directive specifies
whether to use TLS or not. If not specified it will default to no.
It should be set to start_tls rather than doing LDAP over SSL. References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000250-GPOS-00093, R67 |
Install the SSSD Package
[ref]ruleThe sssd package should be installed.
The sssd package can be installed with the following command:
$ sudo zypper install sssd Rationale:References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000375-GPOS-00160, R67
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
include install_sssd
class install_sssd {
package { 'sssd':
ensure => 'installed',
}
}
[[packages]]
name = "sssd"
version = "*"
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sssd_installed
- name: Ensure sssd is installed
ansible.builtin.package:
name: sssd
state: present
when: '"sssd" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sssd_installed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd; then
zypper install -y "sssd"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable the SSSD Service
[ref]ruleThe SSSD service should be enabled.
The sssd service can be enabled with the following command:
$ sudo systemctl enable sssd.service Warning:
The service requires a valid sssd configuration. If the configuration is not present, the service will fail to start and consequently this rule will be reported as failing. The configuration shipped in your distribution package might not be sufficient. Manual modification of configuration files might be required. References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(10), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000375-GPOS-00160, R67
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
include enable_sssd
class enable_sssd {
service {'sssd':
enable => true,
ensure => 'running',
}
}
[customizations.services]
enabled = ["sssd"]
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(10)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_sssd_enabled
- name: Enable the SSSD Service - Enable service sssd
block:
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name: Enable the SSSD Service - Enable Service sssd
ansible.builtin.systemd:
name: sssd
enabled: true
state: started
masked: false
when:
- '"sssd-common" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(10)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_sssd_enabled
- special_service_block
when:
- '"sssd" in ansible_facts.packages'
- ( "sssd" in ansible_facts.packages and ("kernel-default" in ansible_facts.packages
or "kernel-default-base" in ansible_facts.packages) )
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd && { ( ( rpm --quiet -q sssd && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ) ); }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'sssd.service'
if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
"$SYSTEMCTL_EXEC" start 'sssd.service'
fi
"$SYSTEMCTL_EXEC" enable 'sssd.service'
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure PAM in SSSD Services
[ref]ruleSSSD should be configured to run SSSD pam services.
To configure SSSD to known SSH hosts, add pam
to services under the [sssd] section in
/etc/sssd/sssd.conf. For example:
[sssd]
services = sudo, autofs, pam
Rationale:Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device. References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-2(1), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, R67
| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Reboot: | false |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
directory
ansible.builtin.find:
paths:
- /etc/sssd/conf.d/
patterns: '*.conf'
register: sssd_conf_d_files
when: '"sssd" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
directory
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$
replace: \1,pam
with_items: '{{ sssd_conf_d_files.files | map(attribute=''path'') }}'
register: modify_lines_sssd_conf_d_files
when:
- '"sssd" in ansible_facts.packages'
- sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Find /etc/sssd/sssd.conf
ansible.builtin.stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_file
when: '"sssd" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Modify lines in /etc/sssd/sssd.conf
ansible.builtin.replace:
path: /etc/sssd/sssd.conf
regexp: ^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$
replace: \1,pam
register: modify_lines_sssd_conf_file
when:
- '"sssd" in ansible_facts.packages'
- sssd_conf_file.stat.exists
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Find services key in /etc/sssd/sssd.conf
ansible.builtin.replace:
path: /etc/sssd/sssd.conf
regexp: ^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+
replace: ''
changed_when: false
check_mode: true
register: sssd_conf_file_services
when:
- '"sssd" in ansible_facts.packages'
- sssd_conf_file.stat.exists
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Insert entry to /etc/sssd/sssd.conf
community.general.ini_file:
path: /etc/sssd/sssd.conf
section: sssd
option: services
value: pam
when:
- '"sssd" in ansible_facts.packages'
- not modify_lines_sssd_conf_d_files.changed
- not modify_lines_sssd_conf_file.changed
- (sssd_conf_file_services.msg is defined and "replacements" not in sssd_conf_file_services.msg)
or not sssd_conf_file.stat.exists
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2(1)
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
|
System Accounting with auditd
[ref]groupThe audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, auditd has modest disk space
requirements, and should not noticeably impact system performance.
NOTE: The Linux Audit daemon auditd can be configured to use
the augenrules program to read audit rules files (*.rules)
located in /etc/audit/rules.d location and compile them to create
the resulting form of the /etc/audit/audit.rules configuration file
during the daemon startup (default configuration). Alternatively, the auditd
daemon can use the auditctl utility to read audit rules from the
/etc/audit/audit.rules configuration file during daemon startup,
and load them into the kernel. The expected behavior is configured via the
appropriate ExecStartPost directive setting in the
/usr/lib/systemd/system/auditd.service configuration file.
To instruct the auditd daemon to use the augenrules program
to read audit rules (default configuration), use the following setting:
ExecStartPost=-/sbin/augenrules --load
in the /usr/lib/systemd/system/auditd.service configuration file.
In order to instruct the auditd daemon to use the auditctl
utility to read audit rules, use the following setting:
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
in the /usr/lib/systemd/system/auditd.service configuration file.
Refer to [Service] section of the /usr/lib/systemd/system/auditd.service
configuration file for further details.
Government networks often have substantial auditing
requirements and auditd can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Red Hat Enterprise Linux 7 Documentation available at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the /var/www/html/file1 file (labeled with
the samba_share_t type):
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
msg=audit(1226874073.147:96)- The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
date command.
{ getattr }- The item in braces indicates the permission that was denied.
getattr
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include getattr,
read, and write.
comm="httpd"- The executable that launched the process. The full path of the executable is
found in the
exe= section of the system call (SYSCALL) message,
which in this case, is exe="/usr/sbin/httpd".
path="/var/www/html/file1"- The path to the object (target) the process attempted to access.
scontext="unconfined_u:system_r:httpd_t:s0"- The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the
httpd_t domain.
tcontext="unconfined_u:object_r:samba_share_t:s0"- The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of
file1. Note: the samba_share_t
type is not accessible to processes running in the httpd_t domain.
- From the system call (
SYSCALL) message, two items are of interest:
success=no: indicates whether the denial (AVC) was enforced or not.
success=no indicates the system call was not successful (SELinux denied
access). success=yes indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as initrc_t
and kernel_t.
exe="/usr/sbin/httpd": the full path to the executable that launched
the process, which in this case, is exe="/usr/sbin/httpd".
|
| contains 3 rules |
Configure auditd Rules for Comprehensive Auditing
[ref]groupThe auditd program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list linux-audit@redhat.com exists
to facilitate community discussion of the auditing system.
The audit subsystem supports extensive collection of events, including:
- Tracing of arbitrary system calls (identified by name or number)
on entry or exit.
- Filtering by PID, UID, call success, system call argument (with
some limitations), etc.
- Monitoring of specific files for modifications to the file's
contents or metadata.
Auditing rules at startup are controlled by the file /etc/audit/audit.rules.
Add rules to it to meet the auditing requirements for your organization.
Each line in /etc/audit/audit.rules represents a series of arguments
that can be passed to auditctl and can be individually tested
during runtime. See documentation in /usr/share/doc/audit-VERSION and
in the related man pages for more details.
If copying any example audit rulesets from /usr/share/doc/audit-VERSION,
be sure to comment out the
lines containing arch= which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
$ sudo service auditd restart |
| contains 1 rule |
Record Information on the Use of Privileged Commands
[ref]groupAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. |
| contains 1 rule |
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
[ref]rule
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Rationale:Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. Identifiers:
CCE-85603-9 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-OS-000755-GPOS-00220, SLES-15-030560, R33, SV-234955r958412_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85603-9
- DISA-STIG-SLES-15-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_privileged_commands_sudo
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
- Perform remediation of Audit rules for /usr/bin/sudo
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
-F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
-F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85603-9
- DISA-STIG-SLES-15-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_privileged_commands_sudo
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
# Retrieve hardware architecture of the underlying system
OTHER_FILTERS="-F path=/usr/bin/sudo -F perm=x"
AUID_FILTERS="-F auid>=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
ACTION_ARCH_FILTERS="-a always,exit"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule
# Load macro arguments into arrays
read -a syscall_a <<< $SYSCALL
read -a syscall_grouping <<< $SYSCALL_GROUPING
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$KEY.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0600 "$file_to_inspect"
fi
fi
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
# i.e, collect rules that match:
# * the action, list and arch, (2-nd argument)
# * the other filters, (3-rd argument)
# * the auid filters, (4-rd argument)
readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
candidate_rules=()
# Filter out rules that have more fields then required. This will remove rules more specific than the required scope
for s_rule in "${similar_rules[@]}"
do
# Strip all the options and fields we know of,
# than check if there was any field left over
extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
done
if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
all_syscalls_found=0
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
# A syscall was not found in the candidate rule
all_syscalls_found=1
}
done
if [[ $all_syscalls_found -eq 0 ]]
then
# We found a rule with all the syscall(s) we want; skip rest of macro
skip=0
break
fi
# Check if this rule can be grouped with our target syscall and keep track of it
for syscall_g in "${syscall_grouping[@]}"
do
if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
file_to_edit=${audit_file}
rule_to_edit=${rule}
rule_syscalls_to_edit=${rule_syscalls}
fi
done
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
fi
if [ "$skip" -eq 0 ]; then
break
fi
done
if [ "$skip" -ne 0 ]; then
# We checked all rules that matched the expected resemblance pattern (action, arch & auid)
# At this point we know if we need to either append the $full_rule or group
# the syscall together with an exsiting rule
# Append the full_rule if it cannot be grouped to any other rule
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
do
syscall_string+=" -S $syscall"
done
fi
other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
echo "$full_rule" >> "$default_file"
chmod 0600 ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
delimiter=","
else
delimiter=" -S "
fi
new_grouped_syscalls="${rule_syscalls_to_edit}"
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
# A syscall was not found in the candidate rule
new_grouped_syscalls+="${delimiter}${syscall}"
}
done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule
# Load macro arguments into arrays
read -a syscall_a <<< $SYSCALL
read -a syscall_grouping <<< $SYSCALL_GROUPING
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
# i.e, collect rules that match:
# * the action, list and arch, (2-nd argument)
# * the other filters, (3-rd argument)
# * the auid filters, (4-rd argument)
readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
candidate_rules=()
# Filter out rules that have more fields then required. This will remove rules more specific than the required scope
for s_rule in "${similar_rules[@]}"
do
# Strip all the options and fields we know of,
# than check if there was any field left over
extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
done
if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
all_syscalls_found=0
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
# A syscall was not found in the candidate rule
all_syscalls_found=1
}
done
if [[ $all_syscalls_found -eq 0 ]]
then
# We found a rule with all the syscall(s) we want; skip rest of macro
skip=0
break
fi
# Check if this rule can be grouped with our target syscall and keep track of it
for syscall_g in "${syscall_grouping[@]}"
do
if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
file_to_edit=${audit_file}
rule_to_edit=${rule}
rule_syscalls_to_edit=${rule_syscalls}
fi
done
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
fi
if [ "$skip" -eq 0 ]; then
break
fi
done
if [ "$skip" -ne 0 ]; then
# We checked all rules that matched the expected resemblance pattern (action, arch & auid)
# At this point we know if we need to either append the $full_rule or group
# the syscall together with an exsiting rule
# Append the full_rule if it cannot be grouped to any other rule
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
do
syscall_string+=" -S $syscall"
done
fi
other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
echo "$full_rule" >> "$default_file"
chmod 0600 ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
delimiter=","
else
delimiter=" -S "
fi
new_grouped_syscalls="${rule_syscalls_to_edit}"
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
# A syscall was not found in the candidate rule
new_grouped_syscalls+="${delimiter}${syscall}"
}
done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure the audit Subsystem is Installed
[ref]ruleThe audit package should be installed. Rationale:The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. Identifiers:
CCE-85612-0 References:
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SLES-15-030650, 4.1.1.1, R33, R73, SLES-15-750450015, 0582, 0846, 10.2.1, 10.2, SV-234964r1009639_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
include install_audit
class install_audit {
package { 'audit':
ensure => 'installed',
}
}
[[packages]]
name = "audit"
version = "*"
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85612-0
- DISA-STIG-SLES-15-030650
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_audit_installed
- name: Ensure audit is installed
ansible.builtin.package:
name: audit
state: present
when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
tags:
- CCE-85612-0
- DISA-STIG-SLES-15-030650
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_audit_installed
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then
zypper install -y "audit"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Enable auditd Service
[ref]ruleThe auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service Rationale:Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. Identifiers:
CCE-85581-7 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310, SLES-15-030050, 4.1.1.2, R33, R73, SLES-15-750450060, 1409, 10.2.1, 10.2, SV-234904r958412_rule
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
include enable_auditd
class enable_auditd {
service {'auditd':
enable => true,
ensure => 'running',
}
}
[customizations.services]
enabled = ["auditd"]
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85581-7
- CJIS-5.4.1.1
- DISA-STIG-SLES-15-030050
- NIST-800-171-3.3.1
- NIST-800-171-3.3.2
- NIST-800-171-3.3.6
- NIST-800-53-AC-2(g)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-10
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(23)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_auditd_enabled
- name: Enable auditd Service - Enable service auditd
block:
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name: Enable auditd Service - Enable Service auditd
ansible.builtin.systemd:
name: auditd
enabled: true
state: started
masked: false
when:
- '"audit" in ansible_facts.packages'
tags:
- CCE-85581-7
- CJIS-5.4.1.1
- DISA-STIG-SLES-15-030050
- NIST-800-171-3.3.1
- NIST-800-171-3.3.2
- NIST-800-171-3.3.6
- NIST-800-53-AC-2(g)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-10
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(23)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_auditd_enabled
- special_service_block
when:
- ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
- '"audit" in ansible_facts.packages'
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q audit; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'auditd.service'
if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
"$SYSTEMCTL_EXEC" start 'auditd.service'
fi
"$SYSTEMCTL_EXEC" enable 'auditd.service'
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|