| Mapping | CCE | Rule Title | Description | Rationale | Variable Setting |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000503-CTR-001275 |
N/A | Ensure auditd Collects System Administrator Actions - /etc/sudoers |
At a minimum, the audit system should collect administrator actions
for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actionsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/sudoers -p wa -k actions |
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. | |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000503-CTR-001275 |
N/A | Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ |
At a minimum, the audit system should collect administrator actions
for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/sudoers.d/ -p wa -k actions |
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. | |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000503-CTR-001275 |
N/A | Record Events that Modify User/Group Information - /etc/group |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/group -p wa -k audit_rules_usergroup_modificationIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/group -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000503-CTR-001275 |
N/A | Record Events that Modify User/Group Information - /etc/gshadow |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modificationIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000503-CTR-001275 |
N/A | Record Events that Modify User/Group Information - /etc/security/opasswd |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modificationIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000304-GPOS-00121 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000503-CTR-001275 |
N/A | Record Events that Modify User/Group Information - /etc/passwd |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/passwd -p wa -k audit_rules_usergroup_modificationIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/passwd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | |
| SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000466-GPOS-00210 SRG-OS-000476-GPOS-00221 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000503-CTR-001275 |
N/A | Record Events that Modify User/Group Information - /etc/shadow |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/shadow -p wa -k audit_rules_usergroup_modificationIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/shadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | |
| SRG-OS-000021-GPOS-00005 | N/A | Account Lockouts Must Be Logged | PAM faillock locks an account due to excessive password failures, this event must be logged. | Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. | |
| SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088 |
N/A | Modify the System Login Banner for Remote Connections |
To configure the system login banner edit /etc/issue.net. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. |
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
|
| SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088 |
N/A | Enable GNOME3 Login Warning Banner |
In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-enable=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-enableAfter the settings have been set, run dconf update. The banner text must also be set. |
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
|
| SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088 |
N/A | Set the GNOME3 Login Warning Banner Text |
In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER'Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-textAfter the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. |
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. | |
| SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088 |
N/A | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
Banner /etc/issue.netAnother section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. | |
| SRG-OS-000027-GPOS-00008 | N/A | Limit the Number of Concurrent Login Sessions Allowed Per User |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins 10 |
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. | var_accounts_max_concurrent_login_sessions=10 |
| SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 |
N/A | Enable GNOME3 Screensaver Lock After Idle Period |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absence. | |
| SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 |
N/A | Check that vlock is installed to allow session locking |
The Claroty CTD 5.x operating system must have vlock installed to allow for session locking.
The kbd package can be installed with the following command:
$ apt-get install kbd |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. | |
| SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012 |
N/A | Set GNOME3 Screensaver Inactivity Timeout |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/gdm.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. | |
| SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012 |
N/A | Set GNOME3 Screensaver Lock Delay After Activation Period |
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 immediate in
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] lock-delay=uint32 immediateAfter the settings have been set, run dconf update. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absence. | var_screensaver_lock_delay=immediate |
| SRG-OS-000032-GPOS-00013 | N/A | Ensure remote access methods are monitored in Rsyslog |
Logging of remote access methods must be implemented to help identify cyber
attacks and ensure ongoing compliance with remote access policies are being
audited and upheld. An examples of a remote access method is the use of the
Remote Desktop Protocol (RDP) from an external, non-organization controlled
network. The /etc/rsyslog.conf or
/etc/rsyslog.d/*.conf file should contain a match for the following
selectors: auth.*, authpriv.*, and daemon.*. If
not, use the following as an example configuration:
auth.*;authpriv.* /var/log/secure
daemon.* /var/log/messages
|
Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. | |
| SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 |
N/A | Use Only FIPS 140-2 Validated Ciphers |
Limit the ciphers to those algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctrThis rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Claroty CTD 5.x. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - chmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - chown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - fchmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - fchmodat |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - fchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - fchownat |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215 SRG-OS-000474-GPOS-00219 SRG-OS-000466-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000064-GPOS-00033 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - fremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000466-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215 SRG-OS-000474-GPOS-00219 SRG-OS-000064-GPOS-00033 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000466-GPOS-00210 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Events that Modify the System's Discretionary Access Controls - lchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215 SRG-OS-000474-GPOS-00219 SRG-OS-000466-GPOS-00210 SRG-OS-000064-GPOS-00033 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000466-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215 SRG-OS-000474-GPOS-00219 SRG-OS-000064-GPOS-00033 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215 SRG-OS-000474-GPOS-00219 SRG-OS-000466-GPOS-00210 SRG-OS-000064-GPOS-00033 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Record Events that Modify the System's Discretionary Access Controls - removexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000466-GPOS-00210 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-APP-000091-CTR-000160 SRG-APP-000492-CTR-001220 SRG-APP-000493-CTR-001225 SRG-APP-000494-CTR-001230 SRG-APP-000500-CTR-001260 SRG-APP-000507-CTR-001295 SRG-APP-000495-CTR-001235 |
N/A | Record Events that Modify the System's Discretionary Access Controls - setxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Record Any Attempts to Run chacl |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chacl -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-APP-000495-CTR-001235 SRG-APP-000496-CTR-001240 SRG-APP-000497-CTR-001245 SRG-APP-000498-CTR-001250 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Record Any Attempts to Run chcon |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000495-CTR-001235 |
N/A | Record Any Attempts to Run setfacl |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/setfacl -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Ensure auditd Collects File Deletion Events by User - rename |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Ensure auditd Collects File Deletion Events by User - renameat |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Ensure auditd Collects File Deletion Events by User - rmdir |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Ensure auditd Collects File Deletion Events by User - unlink |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Ensure auditd Collects File Deletion Events by User - unlinkat |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-APP-000495-CTR-001235 SRG-APP-000504-CTR-001280 |
N/A | Ensure auditd Collects Information on Kernel Module Unloading - delete_module |
To capture kernel module loading and unloading events, use the following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-APP-000495-CTR-001235 SRG-APP-000504-CTR-001280 |
N/A | Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module |
To capture kernel module loading and unloading events, use the following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S finit_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-APP-000495-CTR-001235 SRG-APP-000504-CTR-001280 |
N/A | Ensure auditd Collects Information on Kernel Module Loading - init_module |
To capture kernel module loading and unloading events, use the following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | |
| SRG-OS-000037-GPOS-00015 | N/A | Record Attempts to Alter Logon and Logout Events - faillog |
The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/faillog -p wa -k loginsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/log/faillog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000473-GPOS-00218 SRG-OS-000470-GPOS-00214 SRG-APP-000495-CTR-001235 SRG-APP-000503-CTR-001275 SRG-APP-000506-CTR-001290 |
N/A | Record Attempts to Alter Logon and Logout Events - lastlog |
The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/log/lastlog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - chage |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - chsh |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - crontab |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-APP-000495-CTR-001235 SRG-APP-000504-CTR-001280 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - kmod |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/kmod -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/kmod -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - modprobe |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modulesIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /sbin/modprobe -p x -k modules |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - mount |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - newgrp |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - passwd |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000495-CTR-001235 |
N/A | Record Any Attempts to Run ssh-agent |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/ssh-agent -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000755-GPOS-00220 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - su |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-OS-000755-GPOS-00220 SRG-APP-000029-CTR-000085 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - sudo |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000755-GPOS-00220 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000029-CTR-000085 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - umount |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-APP-000495-CTR-001235 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - unix_update |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_update -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/unix_update -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000466-GPOS-00210 SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 |
N/A | Ensure auditd Collects Information on the Use of Privileged Commands - usermod |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/usermod -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
|
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-APP-000495-CTR-001235 |
N/A | Record Unsuccessful Access Attempts to Files - creat |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-APP-000495-CTR-001235 |
N/A | Record Unsuccessful Access Attempts to Files - ftruncate |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-APP-000495-CTR-001235 |
N/A | Record Unsuccessful Access Attempts to Files - open |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-APP-000495-CTR-001235 |
N/A | Record Unsuccessful Access Attempts to Files - open_by_handle_at |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-APP-000495-CTR-001235 |
N/A | Record Unsuccessful Access Attempts to Files - openat |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-APP-000495-CTR-001235 |
N/A | Record Unsuccessful Access Attempts to Files - truncate |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
| SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000473-GPOS-00218 SRG-OS-000254-GPOS-00095 |
N/A | Enable Auditing for Processes Which Start Prior to the Audit Daemon |
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain audit=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" |
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. | |
| SRG-OS-000046-GPOS-00022 SRG-OS-000343-GPOS-00134 |
N/A | Configure auditd mail_acct Action on Low Disk Space |
The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root |
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | var_auditd_action_mail_acct=root |
| SRG-OS-000047-GPOS-00023 | N/A | Configure auditd Disk Full Action when Disk Space Is Full |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTIONSet this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. |
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. | |
| SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 |
N/A | System Audit Logs Must Have Mode 0750 or Less Permissive |
Verify the audit log directories have a mode of "0750" or less permissive by first determining
where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logBy default, the audit log directory is /var/log/audit. Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode. The appropriate directory permissions depend on the log_group setting in /etc/audit/auditd.conf:
If log_group is set to a group other than root, change the mode of the audit log directory with the following command: $ sudo chmod 0750 audit_log_directoryOtherwise, change the mode of the audit log directory with the following command: $ sudo chmod 0700 audit_log_directoryReplace audit_log_directory with the correct audit log directory path. |
If users can write to audit logs, audit trails can be modified or destroyed. | |
| SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084 |
N/A | System Audit Logs Must Be Group Owned By Root |
All audit logs must be group owned by root user.
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logUsing the path of the directory containing the audit logs, determine if the audit log files are owned by the "root" group by using the following command: $ sudo stat -c "%n %G" /var/log/audit/* /var/log/audit/audit.log rootIf the audit log files are owned by a group other than "root", this is a finding. To remediate, configure the audit log directory and its underlying files to be owned by "root" group. Set the "log_group" parameter of the audit configuration file to the "root" value so when a new log file is created, its group owner is properly set: $ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf $ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.confLast, signal the audit daemon to reload the configuration file to update the group owners of existing files: $ sudo systemctl kill auditd -s SIGHUP |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. | |
| SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084 |
N/A | System Audit Logs Must Be Owned By Root |
All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in /etc/audit/auditd.confor by default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. | |
| SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 |
N/A | System Audit Logs Must Have Mode 0600 or Less Permissive |
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logUsing the path of the directory containing the audit logs, determine if the audit log files have a mode of "600" or less by using the following command: $ sudo stat -c "%n %a" /var/log/audit/* |
If users can write to audit logs, audit trails can be modified or destroyed. | |
| SRG-OS-000062-GPOS-00031 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000122-GPOS-00063 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000358-GPOS-00145 SRG-OS-000365-GPOS-00152 SRG-OS-000392-GPOS-00172 SRG-OS-000475-GPOS-00220 |
N/A | Ensure the audit Subsystem is Installed | The audit package should be installed. | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | |
| SRG-OS-000062-GPOS-00031 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000122-GPOS-00063 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000358-GPOS-00145 SRG-OS-000365-GPOS-00152 SRG-OS-000392-GPOS-00172 SRG-OS-000475-GPOS-00220 SRG-APP-000095-CTR-000170 SRG-APP-000409-CTR-000990 SRG-APP-000508-CTR-001300 SRG-APP-000510-CTR-001310 |
N/A | Enable auditd Service |
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service |
Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
|
| SRG-OS-000063-GPOS-00032 | N/A | Audit Configuration Files Must Be Owned By Group root |
All audit configuration files must be owned by group root.
chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
|
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | |
| SRG-OS-000063-GPOS-00032 | N/A | Audit Configuration Files Must Be Owned By Root |
All audit configuration files must be owned by root user.
To properly set the owner of /etc/audit/, run the command:
$ sudo chown root /etc/audit/To properly set the owner of /etc/audit/rules.d/, run the command:
$ sudo chown root /etc/audit/rules.d/ |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | |
| SRG-OS-000063-GPOS-00032 | N/A | Verify Permissions on /etc/audit/auditd.conf |
To properly set the permissions of /etc/audit/auditd.conf, run the command:
$ sudo chmod 0640 /etc/audit/auditd.conf |
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | |
| SRG-OS-000063-GPOS-00032 | N/A | Verify Permissions on /etc/audit/rules.d/*.rules |
To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
$ sudo chmod 0600 /etc/audit/rules.d/*.rules |
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | |
| SRG-OS-000064-GPOS-00033 | N/A | Record Any Attempts to Run apparmor_parser |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/apparmor_parser -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/sbin/apparmor_parser -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | |
| SRG-OS-000066-GPOS-00034 SRG-OS-000384-GPOS-00167 |
N/A | Configure Smart Card Certificate Authority Validation |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ca like so:
cert_policy = ca, ocsp_on, signature; |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider. |
|
| SRG-OS-000068-GPOS-00036 SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161 SRG-OS-000375-GPOS-00162 |
N/A | Enable Smart Card Logins in PAM |
This requirement only applies to components where this is specific to the
function of the device or has the concept of an organizational user (e.g.,
VPN, proxy capability). This does not apply to authentication for the
purpose of configuring the device itself (management).
Check that the pam_pkcs11.so option is configured in the
etc/pam.d/common-auth file with the following command:
# grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.soFor general information about enabling smart card authentication, consult the documentation at: |
Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider. | |
| SRG-OS-000068-GPOS-00036 | N/A | Verify that 'use_mappers' is set to 'pwent' in PAM |
The operating system must map the authenticated identity to the user or
group account for PKI-based authentication.
Verify that use_mappers is set to pwent in
/etc/pam_pkcs11/pam_pkcs11.conf file with the following command:
$ grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf use_mappers = pwent |
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. | |
| SRG-OS-000069-GPOS-00037 SRG-OS-000480-GPOS-00227 |
N/A | Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session | To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=3, or a lower value if site policy is more restrictive. The profile requirement is a maximum of retry=3 prompts per session. | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | var_password_pam_retry=3 |
| SRG-OS-000069-GPOS-00037 SRG-OS-000070-GPOS-00038 |
N/A | Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters | The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
|
| SRG-OS-000070-GPOS-00038 | N/A | Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters | The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
|
| SRG-OS-000071-GPOS-00039 | N/A | Ensure PAM Enforces Password Requirements - Minimum Digit Characters | The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
|
| SRG-OS-000072-GPOS-00040 | N/A | Ensure PAM Enforces Password Requirements - Minimum Different Characters |
The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
Modify the difok setting in /etc/security/pwquality.conf to equal 8 to require differing characters when changing passwords. |
Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. |
var_password_pam_difok=8 |
| SRG-OS-000073-GPOS-00041 | N/A | Set number of Password Hashing Rounds - password-auth |
Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.
In file /etc/pam.d/password-auth append rounds=100000 to the pam_unix.so entry, as shown below: password sufficient pam_unix.so ...existing_options... rounds=100000The system's default number of rounds is 5000. |
Using a higher number of rounds makes password cracking attacks more difficult. | var_password_pam_unix_rounds=100000 |
| SRG-OS-000073-GPOS-00041 | N/A | Set Password Hashing Algorithm in /etc/login.defs |
In /etc/login.defs, add or update the following line to ensure the system will use
SHA512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
var_password_hashing_algorithm=SHA512 |
| SRG-OS-000075-GPOS-00043 | N/A | Set Password Minimum Age |
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 1A value of 1 day is considered sufficient for many environments. The profile requirement is 1. |
Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. |
var_accounts_minimum_age_login_defs=1 |
| SRG-OS-000076-GPOS-00044 | N/A | Set Password Maximum Age |
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 60The profile requirement is 60. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
var_accounts_maximum_age_login_defs=60 |
| SRG-OS-000078-GPOS-00046 | N/A | Ensure PAM Enforces Password Requirements - Minimum Length | The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 after pam_pwquality to set minimum password length requirements. |
The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. |
var_password_pam_minlen=15 |
| SRG-OS-000080-GPOS-00048 | N/A | Set Boot Loader Password in grub2 |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | |
| SRG-OS-000080-GPOS-00048 | N/A | Set the UEFI Boot Loader Password |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | |
| SRG-OS-000095-GPOS-00049 | N/A | Uninstall rsh-server Package |
The rsh-server package can be removed with the following command:
$ apt-get remove rsh-server |
The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. | |
| SRG-OS-000096-GPOS-00050 | N/A | Only Allow Authorized Network Services in ufw |
Check the firewall configuration for any unnecessary or prohibited
functions, ports, protocols, and/or services by running the following
command:
$ sudo ufw show raw Chain OUTPUT (policy ACCEPT) target prot opt sources destination Chain INPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationAsk the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. |
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. | |
| SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062 |
N/A | Ensure no duplicate UIDs exist | Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. | Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. | |
| SRG-OS-000105-GPOS-00052 SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161 SRG-OS-000377-GPOS-00162 |
N/A | Install Smart Card Packages For Multifactor Authentication |
Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The openssl-pkcs11 package can be installed with the following command:
$ apt-get install openssl-pkcs11 |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider. |
|
| SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 |
N/A | Enable Public Key Authentication |
Enable SSH login with public keys.
The default SSH configuration enables authentication based on public keys. The appropriate configuration is used if no value is set for PubkeyAuthentication. To explicitly enable Public Key Authentication, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: PubkeyAuthentication yes |
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. Smart cards or hardware tokens paired with digital certificates are common examples of multifactor implementations. | |
| SRG-OS-000106-GPOS-00053 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00227 |
N/A | Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | |
| SRG-OS-000109-GPOS-00056 | N/A | Direct root Logins Are Not Allowed |
Configure the operating system to prevent direct logins to the
root account by performing the following operations:
$ sudo passwd -l root |
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. | |
| SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 SRG-OS-000480-GPOS-00227 SRG-APP-000141-CTR-000315 |
N/A | Disable Modprobe Loading of USB Storage Driver |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/falseThis entry will cause a non-zero return value during a usb-storage module installation
and additionally convey the meaning of the entry to the user in form of an error message.
If you would like to omit a non-zero return value and an error message, you may want to add a different line instead
(both /bin/true and /bin/false are allowed by OVAL and will be accepted by the scan):
install usb-storage /bin/trueThis will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually. |
USB storage devices such as thumb drives can be used to introduce malicious software. | |
| SRG-OS-000118-GPOS-00060 | N/A | Set Account Expiration Following Inactivity |
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=35If a password is currently on the verge of expiration, then 35 day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus 35 day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information. |
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. | var_account_disable_post_pw_expiration=35 |
| SRG-OS-000123-GPOS-00064 SRG-OS-000002-GPOS-00002 |
N/A | Assign Expiration Date to Temporary Accounts |
Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USERYYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours. |
If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
|
| SRG-OS-000125-GPOS-00065 | N/A | Enable PAM |
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
enable PAM authentication using ChallengeResponseAuthentication and
PasswordAuthentication in addition to PAM account and session module processing for all
authentication types.
To enable PAM authentication, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
UsePAM yes |
When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server. | |
| SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000394-GPOS-00174 |
N/A | Use Only FIPS 140-2 Validated MACs |
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms. |
FIPS-approved cryptographic hash functions are required to be used. The only SSHv2 hash algorithms meeting this requirement is SHA2. | |
| SRG-OS-000126-GPOS-00066 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 SRG-OS-000395-GPOS-00175 |
N/A | Set SSH Client Alive Interval |
SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval 10_minutes The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. |
Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | sshd_idle_timeout_value=10_minutes |
| SRG-OS-000132-GPOS-00067 SRG-OS-000138-GPOS-00069 SRG-APP-000243-CTR-000600 |
N/A | Restrict Access to Kernel Message Buffer |
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
Unprivileged access to the kernel syslog can expose sensitive kernel address information. | |
| SRG-OS-000134-GPOS-00068 | N/A | Ensure sudo group has only necessary members | Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. The Ubuntu operating system restricts access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. | Any users assigned to the sudo group would be granted administrator access to the system. | |
| SRG-OS-000138-GPOS-00069 | N/A | Verify that All World-Writable Directories Have Sticky Bits Set |
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR |
Failing to set the sticky bit on public directories allows unauthorized users to delete files
in the directory structure.
The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access. |
|
| SRG-OS-000163-GPOS-00072 SRG-OS-000029-GPOS-00010 |
N/A | Set Interactive Session Timeout |
Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity. A value of 0 (zero)
disables the automatic logout feature and is therefore not a compliant setting.
The value of TMOUT should be a positive integer, exported, and read only.
The TMOUT
setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
typeset -xr TMOUT=15_minor declare -xr TMOUT=15_minUsing the typeset keyword is preferred for wider compatibility with ksh and other shells.
|
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. | var_accounts_tmout=15_min |
| SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 |
N/A | Set SSH Client Alive Count Max | The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. | This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. | |
| SRG-OS-000205-GPOS-00083 | N/A | Verify permissions of log files | Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. | The Claroty CTD 5.x must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | |
| SRG-OS-000206-GPOS-00084 SRG-APP-000118-CTR-000240 |
N/A | Verify Group Who Owns /var/log Directory |
To properly set the group owner of /var/log, run the command:
$ sudo chgrp root /var/log |
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel. | |
| SRG-OS-000206-GPOS-00084 | N/A | Verify Group Who Owns /var/log/syslog File |
To properly set the group owner of /var/log/syslog, run the command:
$ sudo chgrp adm /var/log/syslog |
The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. | |
| SRG-OS-000206-GPOS-00084 SRG-APP-000118-CTR-000240 |
N/A | Verify User Who Owns /var/log Directory |
To properly set the owner of /var/log, run the command:
$ sudo chown root /var/log |
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel. | |
| SRG-OS-000206-GPOS-00084 | N/A | Verify User Who Owns /var/log/syslog File |
To properly set the owner of /var/log/syslog, run the command:
$ sudo chown syslog /var/log/syslog |
The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. | |
| SRG-OS-000206-GPOS-00084 SRG-APP-000118-CTR-000240 |
N/A | Verify Permissions on /var/log Directory |
To properly set the permissions of /var/log, run the command:
$ sudo chmod 0755 /var/log |
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel. | |
| SRG-OS-000206-GPOS-00084 | N/A | Verify Permissions on /var/log/syslog File |
To properly set the permissions of /var/log/syslog, run the command:
$ sudo chmod 0640 /var/log/syslog |
The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. | |
| SRG-OS-000250-GPOS-00093 | N/A | Use Only FIPS 140-2 Validated Key Exchange Algorithms | Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in This rule ensures that only the key exchange algorithms mentioned above (or their subset) are configured for use, keeping the given order of algorithms. | FIPS-approved key exchange algorithms are required to be used. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection. | |
| SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 |
N/A | Verify that audit tools are owned by root |
The Claroty CTD 5.x operating system audit tools must have the proper
ownership configured to protected against unauthorized access.
Verify it by running the following command:
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/audispd root /sbin/augenrules rootAudit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators |
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. | |
| SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 |
N/A | Verify that audit tools Have Mode 0755 or less |
The Claroty CTD 5.x operating system audit tools must have the proper
permissions configured to protected against unauthorized access.
Verify it by running the following command:
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 755 /sbin/autrace 755 /sbin/auditd 755 /sbin/audispd 755 /sbin/augenrules 755Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators |
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. | |
| SRG-OS-000258-GPOS-00099 | N/A | Verify that system commands directories are group owned by root |
System commands files are stored in the following directories by default:
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbinAll these directories should be owned by the root group. If the directory is found to be owned by a group other than root correct its ownership with the following command: $ sudo chgrp root DIR |
If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. | |
| SRG-OS-000258-GPOS-00099 | N/A | Verify that System Executable Have Root Ownership |
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbinAll these directories should be owned by the root user. If any directory DIR in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root DIR |
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. | |
| SRG-OS-000258-GPOS-00099 | N/A | Verify that System Executable Directories Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbinThese directories should not be group-writable or world-writable. If any directory DIR in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w DIR |
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that Shared Library Directories Have Root Group Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR |
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that Shared Library Directories Have Root Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR |
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that system commands files are group owned by root or a system account |
System commands files are stored in the following directories by default:
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbinAll files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command: $ sudo chgrp root FILE |
If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that System Executables Have Root Ownership |
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE |
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that Shared Library Files Have Root Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE |
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that System Executables Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE |
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify that Shared Library Files Have Restrictive Permissions |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE |
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. | |
| SRG-OS-000259-GPOS-00100 | N/A | Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. |
System-wide library files are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command: $ sudo chgrp root FILE |
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. | |
| SRG-OS-000266-GPOS-00101 | N/A | Ensure PAM Enforces Password Requirements - Minimum Special Characters | The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal 1 to require use of a special character in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
var_password_pam_ocredit=1 |
| SRG-OS-000269-GPOS-00103 SRG-OS-000480-GPOS-00227 |
N/A | Disable KDump Kernel Crash Analyzer (kdump) |
The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service |
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. | |
| SRG-OS-000278-GPOS-00108 | N/A | Configure AIDE to Verify the Audit Tools | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. | |
| SRG-OS-000297-GPOS-00115 | N/A | Install ufw Package |
The ufw package can be installed with the following command:
$ apt-get install ufw |
ufw controls the Linux kernel network packet filtering code. ufw allows system operators to set up firewalls and IP masquerading, etc. | |
| SRG-OS-000297-GPOS-00115 | N/A | Verify ufw Enabled |
The ufw service can be enabled with the following command:
$ sudo systemctl enable ufw.service |
The ufw service must be enabled and running in order for ufw to protect the system | |
| SRG-OS-000299-GPOS-00117 SRG-OS-000300-GPOS-00118 SRG-OS-000424-GPOS-00188 SRG-OS-000481-GPOS-00481 |
N/A | Deactivate Wireless Network Interfaces |
Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off |
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. | |
| SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000326-GPOS-00126 SRG-OS-000370-GPOS-00155 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00231 SRG-OS-000480-GPOS-00232 |
N/A | Ensure AppArmor is Active and Configured |
Verify that the Apparmor tool is configured to
control whitelisted applications and user home directory access
control. The apparmor service can be enabled with the following command:
$ sudo systemctl enable apparmor.service |
Using a whitelist provides a configuration management method for allowing
the execution of only authorized software. Using only authorized software
decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software occurs prior to execution or at system startup. Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources. Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information. |
|
| SRG-OS-000324-GPOS-00125 SRG-OS-000480-GPOS-00227 |
N/A | Disable Ctrl-Alt-Del Reboot Activation |
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. | |
| SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127 SRG-OS-000755-GPOS-00220 SRG-APP-000343-CTR-000780 SRG-APP-000381-CTR-000905 |
N/A | Record Events When Privileged Executables Are Run |
Verify the system generates an audit record when privileged functions are executed.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rulesIf audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgidIf both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. | |
| SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 |
N/A | Lock Accounts After Failed Password Attempts | This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> Where count should be less than or equal to 3 and greater than 0. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. | var_accounts_passwords_pam_faillock_deny=3 |
| SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 |
N/A | Set Interval For Counting Failed Password Attempts | Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Ensure that the file /etc/security/faillock.conf contains the following entry: fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | var_accounts_passwords_pam_faillock_fail_interval=900 |
| SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 |
N/A | Do Not Show System Messages When Unsuccessful Logon Attempts Occur | This rule ensures the system prevents informative messages from being presented to the user pertaining to logon information after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. | The pam_faillock module without the silent option will leak information about the existence or non-existence of a user account in the system because the failures are not recorded for unknown users. The message about the user account being locked is never displayed for non-existing user accounts allowing the adversary to infer that a particular account exists or not on the system. | |
| SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 |
N/A | Set Lockout Time for Failed Password Attempts | This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. Ensure that the file /etc/security/faillock.conf contains the following entry: unlock_time=<interval-in-seconds> where interval-in-seconds is never or greater. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | var_accounts_passwords_pam_faillock_unlock_time=never |
| SRG-OS-000341-GPOS-00132 SRG-OS-000342-GPOS-00133 |
N/A | Configure a Sufficiently Large Partition for Audit Logs |
The Claroty CTD 5.x operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.
The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available.
In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.
Determine which partition the audit records are being written to with the
following command:
$ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logCheck the size of the partition that audit records are written to with the following command: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. | |
| SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
N/A | Configure audispd Plugin To Send Logs To Remote Server |
Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the remote_server option in /etc/audit/audisp-remote.confwith an IP address or hostname of the system that the audispd plugin should send audit records to. For example remote_server = logcollector |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. | var_audispd_remote_server=logcollector |
| SRG-OS-000342-GPOS-00133 | N/A | Ensure the default plugins for the audit dispatcher are Installed | The audit-audispd-plugins package should be installed. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. | |
| SRG-OS-000343-GPOS-00134 | N/A | Configure auditd space_left Action on Low Disk Space |
The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page. These include:
|
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | |
| SRG-OS-000343-GPOS-00134 | N/A | Configure auditd space_left on Low Disk Space |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%Set this value to at least 25 to cause the system to notify the user of an issue. |
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | |
| SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 SRG-OS-000359-GPOS-00146 |
N/A | Configure Time Service Maxpoll Interval |
The maxpoll should be configured to
18_hours in /etc/ntp.conf or
/etc/chrony/chrony.conf (or /etc/chrony/conf.d/) to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony/chrony.conf (or /etc/chrony/conf.d/)
add the following after each server, pool or peer entry:
maxpoll 18_hoursto server directives. If using chrony, any pool directives should be configured too. |
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). | var_time_service_set_maxpoll=18_hours |
| SRG-OS-000355-GPOS-00143 | N/A | The Chrony package is installed |
System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The chrony package can be installed with the following command:
$ apt-get install chrony |
Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations. | |
| SRG-OS-000356-GPOS-00144 | N/A | Synchronize internal information system clocks | Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. | |
| SRG-OS-000359-GPOS-00146 | N/A | Ensure real-time clock is set to UTC | Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. | |
| SRG-OS-000363-GPOS-00150 SRG-OS-000446-GPOS-00200 SRG-OS-000447-GPOS-00201 |
N/A | Configure Periodic Execution of AIDE |
At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/bin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/bin/aide --checkAIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. |
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. |
|
| SRG-OS-000363-GPOS-00150 SRG-OS-000363-GPOS-00150 SRG-OS-000446-GPOS-00200 SRG-OS-000447-GPOS-00201 |
N/A | Ensure auditd Collects Changes to Cron Jobs - /var/spool/cron |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/spool/cron -p wa -k cronjobsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/spool/cron -p wa -k cronjobs |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | |
| SRG-OS-000366-GPOS-00153 | N/A | Disable unauthenticated repositories in APT configuration | Unauthenticated repositories should not be used for updates. | Repositories hosts all packages that will be installed on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed locally. | |
| SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155 |
N/A | Ensure AppArmor is installed | AppArmor provide Mandatory Access Controls. | Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available. | |
| SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 |
N/A | Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate | The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
|
| SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 |
N/A | Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD | The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
|
| SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 |
N/A | Install the opensc Package For Multifactor Authentication |
The opensc package can be installed with the following command:
$ apt-get install opensc |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider. |
|
| SRG-OS-000375-GPOS-00160 | N/A | Install the SSSD Package |
The sssd package should be installed.
The sssd package can be installed with the following command:
$ apt-get install sssd |
||
| SRG-OS-000375-GPOS-00160 | N/A | Enable the SSSD Service |
The SSSD service should be enabled.
The sssd service can be enabled with the following command:
$ sudo systemctl enable sssd.service |
||
| SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 SRG-OS-000384-GPOS-00167 |
N/A | Configure Smart Card Certificate Status Checking |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature; |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider. |
|
| SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 |
N/A | Configure PAM in SSSD Services |
SSSD should be configured to run SSSD pam services.
To configure SSSD to known SSH hosts, add pam
to services under the [sssd] section in
/etc/sssd/sssd.conf. For example:
[sssd] services = sudo, autofs, pam |
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. | |
| SRG-OS-000375-GPOS-00160 SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 |
N/A | Enable Smartcards in SSSD |
SSSD should be configured to authenticate access to the system using smart cards.
To enable smart cards in SSSD, set pam_cert_auth to True under the
[pam] section in /etc/sssd/sssd.conf. For example:
[pam] pam_cert_auth = True |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multi-Factor Authentication (MFA) solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider. |
|
| SRG-OS-000383-GPOS-00166 | N/A | Configure SSSD to Expire Offline Credentials |
SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam] offline_credentials_expiration = 1 |
If cached authentication information is out-of-date, the validity of the authentication information may be questionable. | |
| SRG-OS-000384-GPOS-00167 | N/A | Configure Smart Card Local Cache of Revocation Data |
Configure the operating system for PKI-based authentication to use
local revocation data when unable to access the network to obtain it
remotely. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include crl_auto
or crl_offline like so:
cert_policy = ca,signature,ocsp_on,crl_auto; |
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). | |
| SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 |
N/A | Record Attempts to perform maintenance activities |
The Claroty CTD 5.x operating system must generate audit records for
privileged activities, nonlocal maintenance, diagnostic sessions and
other system-level access.
Verify the operating system audits activities performed during nonlocal
maintenance and diagnostic sessions. Run the following command:
$ sudo auditctl -l | grep sudo.log -w /var/log/sudo.log -p wa -k maintenanceIf the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -w /var/log/sudo.log -p wa -k maintenanceIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/log/sudo.log -p wa -k maintenance |
If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. | |
| SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223 |
N/A | Verify '/proc/sys/crypto/fips_enabled' exists |
On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist.
To verify FIPS mode, run the following command:
cat /proc/sys/crypto/fips_enabled |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | |
| SRG-OS-000403-GPOS-00182 | N/A | Only Allow DoD PKI-established CAs | The operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. | |
| SRG-OS-000405-GPOS-00184 SRG-OS-000185-GPOS-00079 SRG-OS-000404-GPOS-00183 |
N/A | Encrypt Partitions |
Claroty CTD 5.x natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Claroty CTD 5.x Documentation web site: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening . |
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. | |
| SRG-OS-000420-GPOS-00186 | N/A | ufw Must rate-limit network interfaces |
The operating system must configure the uncomplicated firewall to
rate-limit impacted network interfaces.
Check all the services listening to the ports with the following
command:
$ sudo ss -l46ut Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 128 [::]:ssh [::]:*For each entry, verify that the ufw is configured to rate limit the service ports with the following command: $ sudo ufw statusIf any port with a state of "LISTEN" is not marked with the "LIMIT" action, run the following command, replacing "service" with the service that needs to be rate limited: $ sudo ufw limit "service"Rate-limiting can also be done on an interface. An example of adding a rate-limit on the eth0 interface follows: $ sudo ufw limit in on eth0 |
This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. | |
| SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190 |
N/A | Install the OpenSSH Server Package |
The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ apt-get install openssh-server |
Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. | |
| SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190 |
N/A | Enable the OpenSSH Service |
The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service |
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. |
|
| SRG-OS-000433-GPOS-00192 SRG-APP-000450-CTR-001105 |
N/A | Enable NX or XD Support in the BIOS | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. | |
| SRG-OS-000433-GPOS-00193 SRG-OS-000480-GPOS-00227 SRG-APP-000450-CTR-001105 |
N/A | Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | |
| SRG-OS-000437-GPOS-00194 | N/A | Ensure apt_get Removes Previous Package Versions | apt_get should be configured to remove previous software components after new versions have been installed. To configure apt_get to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/apt/apt.conf. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. | |
| SRG-OS-000445-GPOS-00199 | N/A | Build and Test AIDE Database |
Run the following command to generate a new database:
$ sudo /usr/bin/aide --initBy default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/bin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzTo initiate a manual check, run the following command: $ sudo /usr/bin/aide --checkIf this check produces any unexpected output, investigate. |
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. | |
| SRG-OS-000445-GPOS-00199 | N/A | Install AIDE |
The aide package can be installed with the following command:
$ apt-get install aide |
The AIDE package must be installed if it is to be available for integrity checking. | |
| SRG-OS-000447-GPOS-00201 SRG-OS-000363-GPOS-00150 |
N/A | Configure AIDE To Notify Personnel if Baseline Configurations Are Altered | The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations. | Detecting changes in the system can help avoid unintended, and negative consequences that could affect the security state of the operating system | |
| SRG-OS-000471-GPOS-00215 | N/A | Ensure auditd Collects Changes to Cron Jobs - /etc/cron.d/ |
At a minimum, the audit system should collect administrator actions
for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/cron.d/ -p wa -k cronjobsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /etc/cron.d/ -p wa -k cronjobs |
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. | |
| SRG-OS-000472-GPOS-00217 | N/A | Record Attempts to Alter Process and Session Initiation Information btmp |
The audit system already collects process information for all
users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/btmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/log/btmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
| SRG-OS-000472-GPOS-00217 | N/A | Record Attempts to Alter Process and Session Initiation Information utmp |
The audit system already collects process information for all
users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/run/utmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/run/utmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
| SRG-OS-000472-GPOS-00217 | N/A | Record Attempts to Alter Process and Session Initiation Information wtmp |
The audit system already collects process information for all
users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/log/wtmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
| SRG-OS-000477-GPOS-00222 | N/A | Ensure auditd Collects Information on the Use of Privileged Commands - fdisk | Configure the operating system to audit the execution of the partition management program "fdisk". | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | |
| SRG-OS-000479-GPOS-00224 | N/A | Offload audit Logs to External Media | The operating system must have a crontab script running weekly to offload audit events of standalone systems. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. | |
| SRG-OS-000480-GPOS-00225 SRG-OS-000072-GPOS-00040 |
N/A | Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words | The pam_pwquality module's dictcheck check if passwords contains dictionary words. When dictcheck is set to 1 passwords will be checked for dictionary words. |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Passwords with dictionary words may be more vulnerable to password-guessing attacks. |
|
| SRG-OS-000480-GPOS-00225 | N/A | Ensure PAM Enforces Password Requirements - Enforcing |
Verify that the operating system uses "pwquality" to enforce the
password complexity rules.
Verify the pwquality module is being enforced by operating system by
running the following command:
$ grep -i enforcing /etc/security/pwquality.conf enforcing = 1If the value of "enforcing" is not "1" or the line is commented out, this is a finding. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Using enforcing=1 ensures "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. | |
| SRG-OS-000480-GPOS-00225 | N/A | Install pam_pwquality Package |
The libpwquality package can be installed with the following command:
$ apt-get install libpwquality |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. | |
| SRG-OS-000480-GPOS-00226 | N/A | Enforce Delay After Failed Logon Attempts |
To configure the system to introduce a delay after failed logon attempts,
add or correct the pam_faildelay settings in
/etc/pam.d/common-auth to make sure its delay parameter
is at least 4000000 or greater. For example:
auth required pam_faildelay.so delay=4000000 |
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. | var_password_pam_delay=4000000 |
| SRG-OS-000480-GPOS-00227 | N/A | Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 |
By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to [''] in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/media-keys] logout=['']Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update. |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. | |
| SRG-OS-000480-GPOS-00227 | N/A | The Installed Operating System Is Vendor Supported | The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. | An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. | |
| SRG-OS-000480-GPOS-00227 | N/A | Prevent Login to Accounts With Empty Password | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | |
| SRG-OS-000480-GPOS-00227 | N/A | Ensure There Are No Accounts With Blank or Null Passwords |
Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]Lock an account: $ sudo passwd -l [username] |
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | |
| SRG-OS-000480-GPOS-00227 | N/A | Enable rsyslog Service |
The rsyslog service provides syslog-style logging by default on Claroty CTD 5.x.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
The rsyslog service must be running in order to provide logging services, which are essential to system administration. | |
| SRG-OS-000480-GPOS-00227 | N/A | Disable X11 Forwarding |
The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding. To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: X11Forwarding no |
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. | |
| SRG-OS-000480-GPOS-00227 | N/A | Prevent remote hosts from connecting to the proxy display |
The SSH daemon should prevent remote hosts from connecting to the proxy
display.
The default SSH configuration for X11UseLocalhost is yes, which prevents remote hosts from connecting to the proxy display. To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: X11UseLocalhost yes |
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. | |
| SRG-OS-000480-GPOS-00227 | N/A | The operating system must restrict privilege elevation to authorized personnel | The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL | If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. | |
| SRG-OS-000480-GPOS-00227 SRG-OS-000420-GPOS-00186 SRG-OS-000142-GPOS-00071 |
N/A | Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 |
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. | |
| SRG-OS-000480-GPOS-00228 | N/A | Ensure the Default Umask is Set Correctly in login.defs |
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 077 |
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. | var_accounts_user_umask=077 |
| SRG-OS-000480-GPOS-00229 | N/A | Do Not Allow SSH Environment Options |
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment. To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: PermitUserEnvironment no |
SSH environment options potentially allow users to bypass access restriction in some configurations. | |
| N/A | Ensure auditd Collects Information on the Use of Privileged Commands - chfn |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chfn -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | ||
| N/A | Ensure auditd Collects records for events that affect "/var/log/journal" |
Auditing the systemd journal files provides logging that can be used for
forensic purposes. Verify the system generates audit records for all events
that affect "/var/log/journal" by using the following command:
$ sudo auditctl -l | grep journal -w /var/log/journal/ -p wa -k systemd_journalIf the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -w /var/log/journal -p wa -k systemd_journalIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules: -w /var/log/journal -p wa -k systemd_journal |
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify system level binaries and their operation. Auditing the systemd journal files provides logging that can be used for forensic purposes. | ||
| N/A | Verify ufw Active |
Verify the ufw is enabled on the system with the following command:
# sudo ufw statusIf the above command returns the status as "inactive" or any type of error, this is a finding. |
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Ubuntu 22.04 LTS functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components. | ||
| N/A | Claroty CTD must accept the DOD CAC or other PKI credential for identity management and personal authentication. | Claroty CTD must support DoD CAC or other approved PKI credentials for identity management and personal authentication where required. | CAC and PKI credentials strengthen identity assurance and support enterprise authentication requirements. | ||
| N/A | Claroty CTD must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise. | Claroty CTD must alert the ISSO, ISSM, and other designated personnel when compromise-related events are detected. | Prompt security alerting helps organizations respond quickly to indicators of compromise or potential compromise. | ||
| N/A | Claroty CTD must allocate audit record storage retention length. | Claroty CTD must allocate sufficient storage retention for audit records in accordance with organizational requirements. | Adequate audit storage retention helps ensure records remain available for monitoring, investigation, and compliance review. | ||
| N/A | Claroty CTD must only allow authorized local accounts as documented in the System Security Plan (SSP). | Claroty CTD must permit only local accounts that are authorized and documented in the system security plan. | Restricting local accounts reduces unauthorized access paths and supports accountable administration. | ||
| N/A | Before establishing a network connection with a Network Time Protocol (NTP) server, Claroty CTD must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. | Claroty CTD must authenticate to the configured NTP server using a bidirectional cryptographic method based on FIPS-validated AES before establishing the network connection. | Authenticated NTP reduces the risk of time spoofing and improves the trustworthiness of system timestamps. | ||
| N/A | Change Default Administrator Password | The default administrative password for Claroty CTD 5.x must be changed from the vendor-supplied value to an organization-approved password. | Default credentials are widely known and can provide attackers with immediate administrative access if they are not changed during deployment. | ||
| N/A | Claroty CTD must configure local password policies. | Claroty CTD must enforce local password policies that meet organizational requirements for complexity and strength. | Strong password policy requirements make it more difficult to compromise local credentials. | ||
| N/A | Claroty CTD must have disk encryption enabled on virtual machines (VMs). | Claroty CTD deployments on virtual machines must enable disk encryption for the virtual storage used by the appliance. | Disk encryption protects sensitive data at rest from unauthorized disclosure if the underlying storage is exposed. | ||
| N/A | Claroty CTD must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system. | Claroty CTD must display the Standard Mandatory DoD Notice and Consent Banner before granting system access. | Required notice and consent language establishes user awareness and supports authorized monitoring. | ||
| N/A | The publicly accessible Claroty CTD application must display the Standard Mandatory DOD Notice and Consent Banner before granting access to Claroty CTD. | The Claroty CTD web application must display the Standard Mandatory DoD Notice and Consent Banner before granting access. | A pre-access banner ensures users are informed of monitoring and consent requirements before using the web application. | ||
| N/A | Claroty CTD must configure idle timeouts at 10 minutes. | Claroty CTD must terminate or lock idle administrative sessions after 10 minutes of inactivity. | Short idle timeouts reduce the risk of unauthorized use of an unattended session. | ||
| N/A | Claroty CTD must have notification and audit services operational. | Claroty CTD must maintain operational notification and audit services to support monitoring and accountability. | Notification and audit services are necessary to detect, record, and respond to security-relevant events. | ||
| N/A | Claroty CTD must notify system administrators and information system security officer (ISSO) of local account activity. | Claroty CTD must notify designated administrators and the ISSO of local account activity. | Notification of local account activity helps identify unauthorized account creation and misuse. | ||
| N/A | Claroty CTD must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions. | Claroty CTD must use only DoD PKI-established certificate authorities for protected session verification where required. | Restricting trust to approved certificate authorities reduces the risk of accepting untrusted identities for protected sessions. | ||
| N/A | Claroty CTD must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system. | Claroty CTD must restrict full administrative rights to ISSM-authorized individuals only. | Limiting full administrative rights reduces the chance of unauthorized changes to auditing and system security settings. | ||
| N/A | Claroty CTD must limit privileges and restrict administrative shell access. | Claroty CTD must restrict administrative shell access and limit privileges to only those functions required by authorized users. | Restricting shell access and privilege escalation reduces the risk of unauthorized changes to the platform. | ||
| N/A | Claroty CTD must be configured to send backup audit records. | Claroty CTD must be configured to preserve or send backup copies of audit records. | Backup audit records support recovery, forensic review, and the continued availability of security evidence. | ||
| N/A | The Claroty CTD Syslog client must use TCP connections. | The Claroty CTD syslog client must use TCP for remote log transport. | TCP supports more reliable delivery for remote log forwarding than connectionless transports. | ||
| N/A | Claroty CTD must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device. | Claroty CTD must use FIPS-validated encryption and hashing algorithms to protect configuration files and user-generated data stored on the device. | FIPS-validated cryptography supports the confidentiality and integrity of sensitive data stored by the platform. | ||
| N/A | Claroty CTD must use an Identity Provider (IDP) for authentication and authorization processes. | Claroty CTD must integrate with an approved identity provider for authentication and authorization processes. | Centralized identity management improves account lifecycle control and reduces administrative error. | ||
| N/A | Verify group-owner of system journal directories |
Verify the /run/log/journal and /var/log/journal directories are group-owned by
"systemd-journal" by using the following command:
$ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %G" {} \;
If any output returned is not owned by "systemd-journal", this is a finding.
|
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. | ||
| N/A | Verify owner of system journal directories |
Verify the /run/log/journal and /var/log/journal directories are owned by
"root" by using the following command:
$ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %U" {} \;
If any output returned is not owned by "root", this is a finding.
|
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. | ||
| N/A | Verify Permissions on the system journal directories |
Verify the /run/log/journal and /var/log/journal directories have
permissions set to "2750" or less permissive by using the following command:
$ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %a" {} \;
If any output returned has a permission set greater than "2750", this is a finding.
|
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. | ||
| N/A | Verify Groupowner on the journalctl command |
Verify that the "journalctl" command is group-owned by "root" by
using the following command:
$ sudo find /usr/bin/journalctl -exec stat -c "%n %G" {} \;
If any output returned is not owned by "root", this is a finding.
|
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. | ||
| SRG-APP-000118-CTR-000240 | N/A | Verify Group Who Owns the system journal |
'
To properly set the group owner of /var/log/journal/.*/system.journal, run the command:
$ sudo chgrp systemd-journal /var/log/journal/.*/system.journal' |
RHCOS must protect system journal file from any type of unauthorized access by setting file group ownership. | |
| N/A | Verify Owner on the journalctl Command |
Verify that the "journalctl" command is owned by "root" by
using the following command:
$ sudo find /usr/bin/journalctl -exec stat -c "%n %U" {} \;
If any output returned is not owned by "root", this is a finding.
|
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. | ||
| SRG-APP-000118-CTR-000240 | N/A | Verify Owner on the system journal |
'
To properly set the owner of /var/log/journal/.*/system.journal, run the command:
$ sudo chown root /var/log/journal/.*/system.journal' |
RHCOS must protect system journal file from any type of unauthorized access by setting file ownership | |
| N/A | Verify Permissions on /etc/audit/audit.rules |
To properly set the permissions of /etc/audit/audit.rules, run the command:
$ sudo chmod 0640 /etc/audit/audit.rules |
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | ||
| N/A | Verify Permissions on the journal command |
Verify that the "journalctl" command has a permission set of "740" by
using the following command:
$ sudo find /usr/bin/journalctl -exec stat -c "%n %a" {} \;
If "journalctl" is not set to "740", this is a finding.
|
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. | ||
| SRG-APP-000118-CTR-000240 | N/A | Verify Permissions on the system journal |
To properly set the permissions of /var/log/journal/.*/system.journal, run the command:
$ sudo chmod 0640 /var/log/journal/.*/system.journal |
RHCOS must protect system journal file from any type of unauthorized access by setting file permissions. | |
| N/A | Uninstall nfs-common Package |
The nfs-common package can be removed with the following command:
$ apt-get remove nfs-common |
If the system does not export NFS shares or act as an NFS client, it is recommended that these services be removed to reduce the remote attack surface. | ||
| N/A | Uninstall nfs-kernel-server Package |
The nfs-kernel-server package can be removed with the following command:
$ apt-get remove nfs-kernel-server |
If the system does not export NFS shares or act as an NFS client, it is recommended that these services be removed to reduce the remote attack surface. | ||
| N/A | Install nss-sss Package |
The libnss-sss package can be installed with the following command:
$ apt-get install libnss-sss |
libnss-sss contains library that is needed by SSSD (System Security Services Daemon).. | ||
| N/A | Remove the ntp service | The ntpd service should not be installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | ||
| N/A | Install pam-sss Package |
The libpam-sss package can be installed with the following command:
$ apt-get install libpam-sss |
libpam-sss has pam module for the SSSD (System Security Services Daemon). | ||
| N/A | Uninstall the telnet server | The telnet daemon should be uninstalled. | telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.' | ||
| N/A | Remove the systemd_timesyncd Service | The systemd_timesyncd service should not be installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | ||
| N/A | Set Password Hashing Algorithm for PAM |
The PAM system service can be configured to only store encrypted representations of passwords.
In "/etc/pam.d/common-password", the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
sha512 and no other hashing algorithms as shown below:
password [success=1 default=ignore] pam_unix.so sha512 other arguments... This will help ensure that new passwords for local users will be stored using the sha512 algorithm. |
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. |
||
| N/A | Certificate trust path in SSSD | Enable certification trust path for SSSD to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. | ||
| N/A | Enable Certificates Mapping in SSSD |
SSSD needs to be set up to link the authenticated identity to the user or group account
for PKI-based authentication. To implement this, confirm that the /etc/sssd/sssd.conf
file contains the following line
ldap_user_certificate=userCertificate;binary |
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. |