xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis_level1_server

Guide to the Secure Configuration of Ubuntu 22.04

with profile CIS Ubuntu 22.04 Level 1 Server Benchmark
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Ubuntu 22.04. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	ip-172-31-1-30
Benchmark URL	/usr/share/ubuntu-scap-security-guides/current/benchmarks/ssg-ubuntu2204-xccdf.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04
Profile ID	xccdf_org.ssgproject.content_profile_cis_level1_server
Started at	2023-11-03T10:26:26
Finished at	2023-11-03T10:28:21
Performed by	ubuntu

CPE Platforms

cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~

Addresses

IPv4 127.0.0.1
IPv4 172.31.1.30
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:409:b3ff:feab:8941
MAC 00:00:00:00:00:00
MAC 06:09:B3:AB:89:41

Compliance and Scoring

The target system did not satisfy the conditions of 83 rules! Please review rule results and consider applying remediation.

Rule results

164 passed

83 failed

0 other

Severity of failed rules

5 other

2 low

74 medium

2 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	75.494339	100.000000	75.49%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Ubuntu 22.04 83x fail
System Settings 73x fail
Installing and Maintaining Software 6x fail
System and Software Integrity 4x fail
Software Integrity Checking 4x fail
Verify Integrity with AIDE 4x fail
Install AIDE	medium	fail
Build and Test AIDE Database	medium	fail
Configure AIDE to Verify the Audit Tools	medium	fail
Configure Periodic Execution of AIDE	medium	fail
Package "prelink" Must not be Installed	medium	pass
Disk Partitioning 1x fail
Ensure /tmp Located On Separate Partition	low	fail
GNOME Desktop Environment
Configure GNOME Login Screen
Disable the GNOME3 Login User List	medium	notapplicable
Disable XDMCP in GDM	high	notapplicable
GNOME Media Settings
Disable GNOME3 Automounting	medium	notapplicable
Disable GNOME3 Automount Opening	medium	notapplicable
Disable GNOME3 Automount running	low	notapplicable
Configure GNOME Screen Locking
Set GNOME3 Screensaver Lock Delay After Activation Period	medium	notapplicable
Enable GNOME3 Screensaver Lock After Idle Period	medium	notapplicable
Sudo 1x fail
Install sudo Package	medium	pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty	medium	pass
Ensure Sudo Logfile Exists - sudo logfile	low	pass
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate	medium	pass
Require Re-Authentication When Using the sudo Command	medium	fail
Account and Access Control 23x fail
Warning Banners for System Accesses 2x fail
Implement a GUI Warning Banner
Enable GNOME3 Login Warning Banner	medium	notapplicable
Set the GNOME3 Login Warning Banner Text	medium	notapplicable
Modify the System Login Banner	medium	fail
Modify the System Login Banner for Remote Connections	medium	fail
Modify the System Message of the Day Banner	medium	pass
Verify Group Ownership of System Login Banner	medium	pass
Verify Group Ownership of System Login Banner for Remote Connections	medium	pass
Verify Group Ownership of Message of the Day Banner	medium	pass
Verify ownership of System Login Banner	medium	pass
Verify ownership of System Login Banner for Remote Connections	medium	pass
Verify ownership of Message of the Day Banner	medium	pass
Verify permissions on System Login Banner	medium	pass
Verify permissions on System Login Banner for Remote Connections	medium	pass
Verify permissions on Message of the Day Banner	medium	pass
Protect Accounts by Configuring PAM 12x fail
Set Lockouts for Failed Password Attempts 4x fail
Limit Password Reuse	medium	fail
Lock Accounts After Failed Password Attempts	medium	fail
Set Interval For Counting Failed Password Attempts	medium	fail
Set Lockout Time for Failed Password Attempts	medium	fail
Set Password Quality Requirements 7x fail
Set Password Quality Requirements with pam_pwquality 7x fail
Ensure PAM Enforces Password Requirements - Minimum Digit Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Different Categories	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Length	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Special Characters	medium	fail
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters	medium	fail
Set Password Hashing Algorithm 1x fail
Set Password Hashing Algorithm in /etc/login.defs	medium	fail
Protect Accounts by Restricting Password-Based Login 5x fail
Set Account Expiration Parameters 1x fail
Set Account Expiration Following Inactivity	medium	fail
Ensure All Accounts on the System Have Unique Names	medium	pass
Ensure shadow group is empty	medium	pass
Set Password Expiration Parameters 2x fail
Set Password Maximum Age	medium	fail
Set Password Minimum Age	medium	fail
Set Existing Passwords Maximum Age	medium	pass
Set Existing Passwords Minimum Age	medium	pass
Set Password Warning Age	medium	pass
Verify Proper Storage and Existence of Password Hashes
Verify All Account Password Hashes are Shadowed	medium	pass
Ensure all users last password change date is in the past	medium	pass
All GIDs referenced in /etc/passwd must be defined in /etc/group	low	pass
Ensure There Are No Accounts With Blank or Null Passwords	high	pass
Verify No .forward Files Exist	medium	pass
Verify No netrc Files Exist	medium	pass
Restrict Root Logins 2x fail
Verify Only Root Has UID 0	high	pass
Verify Root Has A Primary GID 0	high	pass
Ensure the Group Used by pam_wheel Module Exists on System and is Empty	medium	pass
Ensure Authentication Required for Single User Mode	medium	fail
Ensure that System Accounts Do Not Run a Shell Upon Login	medium	pass
Enforce Usage of pam_wheel with Group Parameter for su Authentication	medium	fail
Ensure All Accounts on the System Have Unique User IDs	medium	pass
Ensure All Groups on the System Have Unique Group ID	medium	pass
Ensure All Groups on the System Have Unique Group Names	medium	pass
Secure Session Configuration Files for Login Accounts 4x fail
Ensure that No Dangerous Directories Exist in Root's Path
Ensure that Root's Path Does Not Include World or Group-Writable Directories	medium	pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directories	unknown	pass
Ensure that Users Have Sensible Umask Values 3x fail
Ensure the Default Bash Umask is Set Correctly	medium	fail
Ensure the Default Umask is Set Correctly in login.defs	medium	fail
Ensure the Default Umask is Set Correctly in /etc/profile	medium	fail
Ensure the Default Umask is Set Correctly For Interactive Users	medium	pass
Set Interactive Session Timeout	medium	fail
User Initialization Files Must Be Group-Owned By The Primary Group	medium	pass
User Initialization Files Must Not Run World-Writable Programs	medium	pass
User Initialization Files Must Be Owned By the Primary User	medium	pass
All Interactive Users Home Directories Must Exist	medium	pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Group	medium	pass
All Interactive User Home Directories Must Be Owned By The Primary User	medium	pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	medium	pass
System Accounting with auditd
Configure auditd Rules for Comprehensive Auditing
System Audit Logs Must Have Mode 0750 or Less Permissive	medium	notapplicable
System Audit Logs Must Be Group Owned By Root	medium	notapplicable
Audit Configuration Files Must Be Owned By Group root	medium	notapplicable
Audit Configuration Files Must Be Owned By Root	medium	notapplicable
System Audit Logs Must Be Owned By Root	medium	notapplicable
System Audit Logs Must Have Mode 0640 or Less Permissive	medium	notapplicable
AppArmor 1x fail
Ensure AppArmor is installed	medium	pass
All AppArmor Profiles are in enforce or complain mode	medium	pass
Ensure AppArmor is enabled in the bootloader configuration	medium	fail
GRUB2 bootloader configuration 2x fail
Non-UEFI GRUB2 bootloader configuration 2x fail
Verify /boot/grub/grub.cfg User Ownership	medium	pass
Verify /boot/grub/grub.cfg Permissions	medium	fail
Set Boot Loader Password in grub2	high	fail
UEFI GRUB2 bootloader configuration
Set the UEFI Boot Loader Password	high	notapplicable
Configure Syslog 4x fail
systemd-journald 3x fail
Install systemd-journal-remote Package	medium	fail
Enable systemd-journald Service	medium	pass
Ensure journald is configured to compress large log files	medium	fail
Ensure journald is configured to write log files to persistent disk	medium	fail
Disable systemd-journal-remote Socket	medium	pass
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server	medium	pass
Rsyslog Logs Sent To Remote Host 1x fail
Ensure Logs Sent To Remote Host	medium	fail
Ensure rsyslog is Installed	medium	pass
Enable rsyslog Service	medium	pass
Ensure rsyslog Default File Permissions Configured	medium	pass
Network Configuration and Firewalls 32x fail
iptables and ip6tables
Inspect and Activate Default Rules
Set Default ip6tables Policy for Incoming Packets	medium	notapplicable
Set configuration for IPv6 loopback traffic	medium	notapplicable
Set configuration for loopback traffic	medium	notapplicable
Strengthen the Default Ruleset
Ensure ip6tables Firewall Rules Exist for All Open Ports	medium	notapplicable
Ensure iptables Firewall Rules Exist for All Open Ports	medium	notapplicable
Set Default iptables Policy for Incoming Packets	medium	notapplicable
Install iptables Package	medium	pass
Remove iptables-persistent Package	medium	pass
IPv6 7x fail
Configure IPv6 Settings if Necessary 7x fail
Configure Accepting Router Advertisements on All IPv6 Interfaces	medium	fail
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	fail
Disable Kernel Parameter for IPv6 Forwarding	medium	fail
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	fail
Kernel Parameters Which Affect Networking 15x fail
Network Related Kernel Runtime Parameters for Hosts and Routers 12x fail
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	pass
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	fail
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	fail
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces	medium	fail
Network Parameters for Hosts Only 3x fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	fail
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	fail
nftables 6x fail
Install nftables Package	medium	pass
Verify nftables Service is Enabled	medium	fail
Ensure nftables default deny firewall policy	medium	fail
Ensure nftables rules are permanent	medium	fail
Ensure Base Chains Exist for Nftables	medium	fail
Set nftables configuration for loopback traffic	medium	fail
Ensure a Table Exists for Nftables	medium	fail
Uncomplicated Firewall (ufw) 4x fail
Remove ufw Package	medium	fail
Verify ufw Enabled	medium	pass
Ensure ufw Default Deny Firewall Policy	medium	fail
Set UFW Loopback Traffic	medium	fail
Ensure ufw Firewall Rules Exist for All Open Ports	medium	fail
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfaces	medium	pass
File Permissions and Masks 5x fail
Verify Permissions on Important Files and Directories
Verify Permissions on Files with Local Account Information and Credentials
Verify Group Who Owns Backup group File	medium	pass
Verify Group Who Owns Backup gshadow File	medium	pass
Verify Group Who Owns Backup passwd File	medium	pass
Verify User Who Owns Backup shadow File	medium	pass
Verify Group Who Owns group File	medium	pass
Verify Group Who Owns gshadow File	medium	pass
Verify Group Who Owns passwd File	medium	pass
Verify Group Who Owns shadow File	medium	pass
Verify User Who Owns Backup group File	medium	pass
Verify User Who Owns Backup gshadow File	medium	pass
Verify User Who Owns Backup passwd File	medium	pass
Verify Group Who Owns Backup shadow File	medium	pass
Verify User Who Owns group File	medium	pass
Verify User Who Owns gshadow File	medium	pass
Verify User Who Owns passwd File	medium	pass
Verify User Who Owns shadow File	medium	pass
Verify Permissions on Backup group File	medium	pass
Verify Permissions on Backup gshadow File	medium	pass
Verify Permissions on Backup passwd File	medium	pass
Verify Permissions on Backup shadow File	medium	pass
Verify Permissions on group File	medium	pass
Verify Permissions on gshadow File	medium	pass
Verify Permissions on passwd File	medium	pass
Verify Permissions on shadow File	medium	pass
Verify File Permissions Within Some Important Directories
Verify that audit tools are owned by group root	medium	pass
Verify that audit tools are owned by root	medium	pass
Verify that audit tools Have Mode 0755 or less	medium	pass
Verify Permissions on /etc/audit/auditd.conf	medium	pass
Verify Permissions on /etc/audit/rules.d/*.rules	medium	pass
Ensure No World-Writable Files Exist	medium	pass
Ensure All Files Are Owned by a Group	medium	pass
Ensure All Files Are Owned by a User	medium	pass
Verify permissions of log files	medium	pass
Restrict Dynamic Mounting and Unmounting of Filesystems 2x fail
Disable the Automounter	medium	pass
Disable Mounting of cramfs	low	fail
Disable Modprobe Loading of USB Storage Driver	medium	fail
Restrict Partition Mount Options 3x fail
Add nodev Option to /dev/shm	medium	fail
Add noexec Option to /dev/shm	medium	fail
Add nosuid Option to /dev/shm	medium	fail
Add nodev Option to /home	unknown	notapplicable
Add nosuid Option to /home	medium	notapplicable
Add nodev Option to /tmp	medium	notapplicable
Add noexec Option to /tmp	medium	notapplicable
Add nosuid Option to /tmp	medium	notapplicable
Add nodev Option to /var/log/audit	medium	notapplicable
Add noexec Option to /var/log/audit	medium	notapplicable
Add nosuid Option to /var/log/audit	medium	notapplicable
Add nodev Option to /var/log	medium	notapplicable
Add noexec Option to /var/log	medium	notapplicable
Add nosuid Option to /var/log	medium	notapplicable
Add nodev Option to /var	medium	notapplicable
Add nosuid Option to /var	medium	notapplicable
Add nodev Option to /var/tmp	medium	notapplicable
Add noexec Option to /var/tmp	medium	notapplicable
Add nosuid Option to /var/tmp	medium	notapplicable
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable Core Dumps for All Users	medium	pass
Disable Core Dumps for SUID programs	medium	pass
Enable ExecShield
Enable Randomized Layout of Virtual Address Space	medium	pass
Services 10x fail
Apport Service
Disable Apport Service	unknown	pass
Avahi Server
Disable Avahi Server if Possible
Uninstall avahi Server Package	medium	pass
Disable Avahi Server Software	medium	pass
Cron and At Daemons
Restrict at and cron to Authorized Users if Necessary
Ensure that /etc/at.deny does not exist	medium	pass
Ensure that /etc/cron.deny does not exist	medium	pass
Verify Group Who Owns /etc/at.allow file	medium	pass
Verify Group Who Owns /etc/cron.allow file	medium	pass
Verify User Who Owns /etc/at.allow file	medium	pass
Verify User Who Owns /etc/cron.allow file	medium	pass
Verify Permissions on /etc/at.allow file	medium	pass
Verify Permissions on /etc/cron.allow file	medium	pass
Enable cron Service	medium	pass
Verify Group Who Owns cron.d	medium	pass
Verify Group Who Owns cron.daily	medium	pass
Verify Group Who Owns cron.hourly	medium	pass
Verify Group Who Owns cron.monthly	medium	pass
Verify Group Who Owns cron.weekly	medium	pass
Verify Group Who Owns Crontab	medium	pass
Verify Owner on cron.d	medium	pass
Verify Owner on cron.daily	medium	pass
Verify Owner on cron.hourly	medium	pass
Verify Owner on cron.monthly	medium	pass
Verify Owner on cron.weekly	medium	pass
Verify Owner on crontab	medium	pass
Verify Permissions on cron.d	medium	pass
Verify Permissions on cron.daily	medium	pass
Verify Permissions on cron.hourly	medium	pass
Verify Permissions on cron.monthly	medium	pass
Verify Permissions on cron.weekly	medium	pass
Verify Permissions on crontab	medium	pass
Deprecated services
Uninstall the nis package	low	pass
DHCP
Disable DHCP Server
Uninstall DHCP Server Package	medium	pass
DNS Server
Disable DNS Server
Uninstall bind Package	low	pass
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Package	high	pass
Web Server 1x fail
Disable Apache if Possible 1x fail
Uninstall httpd Package	unknown	fail
Disable NGINX if Possible
Uninstall nginx Package	unknown	pass
IMAP and POP3 Server
Disable Cyrus IMAP
Uninstall cyrus-imapd Package	unknown	pass
Disable Dovecot
Uninstall dovecot Package	unknown	pass
LDAP
Configure OpenLDAP Clients
Ensure LDAP client is not installed	low	pass
Configure OpenLDAP Server
Uninstall openldap-servers Package	low	pass
Mail Server Software
Configure SMTP For Mail Clients
Disable Postfix Network Listening	medium	notapplicable
Ensure Mail Transfer Agent is not Listening on any non-loopback Address	medium	pass
NFS and RPC
Disable All NFS Services if Possible
Disable Services Used Only by NFS
Uninstall rpcbind Package	low	pass
Uninstall nfs-kernel-server Package	low	pass
Network Time Protocol
Install the systemd_timesyncd Service	high	pass
The Chronyd service is enabled	medium	notapplicable
Enable the NTP Daemon	high	notapplicable
Enable systemd_timesyncd Service	high	pass
Ensure that chronyd is running under chrony user account	medium	notapplicable
Configure server restrictions for ntpd	medium	notapplicable
Configure ntpd To Run As ntp User	medium	notapplicable
Obsolete Services
Rlogin, Rsh, and Rexec
Uninstall rsh Package	unknown	pass
Remove Rsh Trust Files	high	pass
Chat/Messaging Services
Uninstall talk Package	medium	pass
Telnet
Remove telnet Clients	low	pass
Uninstall rsync Package	medium	pass
Print Support
Uninstall CUPS Package	unknown	pass
Disable the CUPS Service	unknown	pass
Proxy Server
Disable Squid if Possible
Uninstall squid Package	unknown	pass
Samba(SMB) Microsoft Windows File Sharing Server
Disable Samba if Possible
Uninstall Samba Package	unknown	pass
SNMP Server
Disable SNMP Server if Possible
Uninstall net-snmp Package	unknown	pass
SSH Server 9x fail
Configure OpenSSH Server if Necessary 9x fail
Set SSH Client Alive Count Max	medium	fail
Set SSH Client Alive Interval	medium	fail
Disable Host-Based Authentication	medium	fail
Disable SSH Access via Empty Passwords	high	fail
Disable SSH Support for .rhosts Files	medium	pass
Disable SSH Root Login	medium	fail
Do Not Allow SSH Environment Options	medium	pass
Enable PAM	medium	pass
Enable SSH Warning Banner	medium	fail
Limit Users' SSH Access	unknown	fail
Ensure SSH LoginGraceTime is configured	medium	fail
Set LogLevel to INFO	low	pass
Set SSH authentication attempt limit	medium	pass
Set SSH MaxSessions limit	medium	pass
Ensure SSH MaxStartups is configured	medium	pass
Use Only Strong Ciphers	medium	pass
Use Only Strong Key Exchange algorithms	medium	pass
Use Only Strong MACs	medium	fail
Verify Group Who Owns SSH Server config file	medium	pass
Verify Owner on SSH Server config file	medium	pass
Verify Permissions on SSH Server config file	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
X Window System
Disable X Windows
Remove the X Windows Package Group	medium	pass

Result Details

Install AIDE

Rule ID xccdf_org.ssgproject.content_rule_package_aide_installed

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1

Description

The aide package can be installed with the following command:

$ apt-get install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

Remediation Puppet snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	enable

include install_aide

class install_aide {
  package { 'aide':
    ensure => 'installed',
  }
}

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure aide is installed
  package:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_aide_installed

Remediation script: (show)


[[packages]]
name = "aide"
version = "*"

Build and Test AIDE Database

Rule ID xccdf_org.ssgproject.content_rule_aide_build_database

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1

Description

Run the following command to generate a new database:

$ sudo aideinit

By default, the database will be written to the file /var/lib/aide/aide.db.new. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/bin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:

$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

To initiate a manual check, run the following command:

$ sudo /usr/bin/aide --check

If this check produces any unexpected output, investigate.

Rationale

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"

AIDE_CONFIG=/etc/aide/aide.conf
DEFAULT_DB_PATH=/var/lib/aide/aide.db

# Fix db path in the config file, if necessary
if ! grep -q '^database=file:' ${AIDE_CONFIG}; then
    # replace_or_append gets confused by 'database=file' as a key, so should not be used.
    #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s'
    echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG}
fi

# Fix db out path in the config file, if necessary
if ! grep -q '^database_out=file:' ${AIDE_CONFIG}; then
    echo "database_out=file:${DEFAULT_DB_PATH}.new" >> ${AIDE_CONFIG}
fi

/usr/sbin/aideinit -y -f

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database
  command: /usr/sbin/aide --init
  changed_when: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check whether the stock AIDE Database exists
  stat:
    path: /var/lib/aide/aide.db.new.gz
  register: aide_database_stat
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Stage AIDE Database
  copy:
    src: /var/lib/aide/aide.db.new
    dest: /var/lib/aide/aide.db
    backup: true
    remote_src: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists)
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure AIDE to Verify the Audit Tools

Rule ID xccdf_org.ssgproject.content_rule_aide_check_audit_tools

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 4.1.4.11

Description

The operating system file integrity tool must be configured to protect the integrity of the audit tools.

Rationale

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"










if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide/aide.conf; then
sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide/aide.conf
else
echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Periodic Execution of AIDE

Rule ID xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2

Description

At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/bin/aide --config /etc/aide/aide.conf --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * 0 root /usr/bin/aide --config /etc/aide/aide.conf --check

AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"

# AiDE usually adds its own cron jobs to /etc/cron.daily. If script is there, this rule is
# compliant. Otherwise, we copy the script to the /etc/cron.weekly
if ! egrep -q '^(\/usr\/bin\/)?aide(\.wrapper)?\s+' /etc/cron.*/*; then
    cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.weekly/
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - RedHat
  set_fact:
    cron_pkg_name: cronie
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "RedHat" or ansible_os_family == "Suse"
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - Debian
  set_fact:
    cron_pkg_name: cron
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "Debian"
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Install cron
  package:
    name: '{{ cron_pkg_name }}'
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Periodic Execution of AIDE
  cron:
    name: run AIDE check
    minute: 5
    hour: 4
    weekday: 0
    user: root
    job: /usr/bin/aide --check
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Package "prelink" Must not be Installed

Rule ID	xccdf_org.ssgproject.content_rule_package_prelink_removed
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.5.2
Description	The `prelink` package can be removed with the following command: $ apt-get remove prelink
Rationale	The use of the `prelink` package can interfere with the operation of AIDE since it binaries. Prelinking can also increase damage caused by vulnerability in a common library like libc.

Ensure /tmp Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_tmp
Result	fail
Time	2023-11-03T10:26:26
Severity	low
Identifiers and References	References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1
Description	The `/tmp` directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	The `/tmp` partition is used as temporary storage by many programs. Placing `/tmp` in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Disable the GNOME3 Login User List

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3
Description	In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting `disable-user-list` to `true`. To disable, add or edit `disable-user-list` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] disable-user-list=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/disable-user-list After the settings have been set, run `dconf update`.
Rationale	Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

Disable XDMCP in GDM

Rule ID	xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	high
Identifiers and References	References: 1.8.10
Description	XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. XDMCP Gnome docs. To disable XDMCP support in Gnome, set `Enable` to `false` under the `[xdmcp]` configuration section in `/etc/gdm/custom.conf`. For example: [xdmcp] Enable=false
Rationale	XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text.

Disable GNOME3 Automounting

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6
Description	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set `automount` to `false` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] automount=false Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/automount After the settings have been set, run `dconf update`.
Rationale	Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

Disable GNOME3 Automount Opening

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6
Description	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set `automount-open` to `false` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] automount-open=false Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/automount-open After the settings have been set, run `dconf update`.
Rationale	Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

Disable GNOME3 Automount running

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	low
Identifiers and References	References: 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.8
Description	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set `autorun-never` to `true` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] autorun-never=true Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/autorun-never After the settings have been set, run `dconf update`.
Rationale	Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

Set GNOME3 Screensaver Lock Delay After Activation Period

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, 1.8.5
Description	To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set `lock-delay` to `uint32 0` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/screensaver] lock-delay=uint32 0 After the settings have been set, run `dconf update`.
Rationale	A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Enable GNOME3 Screensaver Lock After Idle Period

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, 1.8.4
Description	To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set `lock-enabled` to `true` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/screensaver] lock-enabled=true Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run `dconf update`.
Rationale	A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Install sudo Package

Rule ID	xccdf_org.ssgproject.content_rule_package_sudo_installed
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1
Description	The `sudo` package can be installed with the following command: $ apt-get install sudo
Rationale	`sudo` is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_use_pty
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R58), Req-10.2.1.5, 5.3.2
Description	The sudo `use_pty` tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the `use_pty` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.

Ensure Sudo Logfile Exists - sudo logfile

Rule ID	xccdf_org.ssgproject.content_rule_sudo_custom_logfile
Result	pass
Time	2023-11-03T10:26:26
Severity	low
Identifiers and References	References: Req-10.2.1.5, 5.3.3
Description	A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.
Rationale	A sudo log file simplifies auditing of sudo commands.

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule ID	xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.5
Description	The sudo `!authenticate` option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the `!authenticate` option does not exist in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Require Re-Authentication When Using the sudo Command

Rule ID xccdf_org.ssgproject.content_rule_sudo_require_reauthentication

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.6

Description

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then

var_sudo_timestamp_timeout='15'


if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
    find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
fi

if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
        # sudoers file doesn't define Option timestamp_timeout
        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
    else
        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
        if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
            
            sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication
- name: XCCDF Value var_sudo_timestamp_timeout # promote to variable
  set_fact:
    var_sudo_timestamp_timeout: !!str 15
  tags:
    - always

- name: Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to
    be deduplicated
  find:
    path: /etc/sudoers.d
    patterns: '*'
    contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
  register: sudoers_d_defaults_timestamp_timeout
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/*
    files
  lineinfile:
    path: '{{ item.path }}'
    regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
    state: absent
  with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}'
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$
    line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_timestamp_timeout_option
  when: '"sudo" in ansible_facts.packages'
  tags:
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}
    validate: /usr/sbin/visudo -cf %s
  when:
  - '"sudo" in ansible_facts.packages'
  - edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
  tags:
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

Enable GNOME3 Login Warning Banner

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.8.2
Description	In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting `banner-message-enable` to `true`. To enable, add or edit `banner-message-enable` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run `dconf update`. The banner text must also be set.
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Set the GNOME3 Login Warning Banner Text

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
Result	notapplicable
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.8.2
Description	In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting `banner-message-text` to `'APPROVED_BANNER'` where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit `banner-message-text` to `/etc/gdm3/greeter.dconf-defaults`. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' After the settings have been set, run `dconf update`. When entering a warning banner that spans several lines, remember to begin and end the string with `'` and use `\n` for new lines.
Rationale	An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Modify the System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_banner_etc_issue
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.7.2
Description	To configure the system login banner edit `/etc/issue`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then login_banner_text='^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$' # Multiple regexes transform the banner regex into a usable banner # 0 - Remove anchors around the banner text login_banner_text=$(echo "$login_banner_text" \| sed 's/^\^$.$\$$/\1/g') # 1 - Keep only the first banners if there are multiple # (dod_banners contains the long and short banner) login_banner_text=$(echo "$login_banner_text" \| sed 's/^($.\.$\|.*)$/\1/g') # 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") login_banner_text=$(echo "$login_banner_text" \| sed 's/\[\\s\\n\]+/ /g') # 3 - Adds newlines. (Transforms "(?:\[\\n\]+\|(?:\\n)+)" into "\n") login_banner_text=$(echo "$login_banner_text" \| sed 's/(?:\[\\n\]+\|(?:\\\\n)+)/\n/g') # 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). login_banner_text=$(echo "$login_banner_text" \| sed 's/\\//g') formatted=$(echo "$login_banner_text" \| fold -sw 80) cat <<EOF >/etc/issue $formatted EOF else >&2 echo 'Remediation is not applicable, nothing was done' fi

Modify the System Login Banner for Remote Connections

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue_net

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.7.3

Description

To configure the system login banner edit /etc/issue.net. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Remediation Shell script: (show)

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

login_banner_text='^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue.net
$formatted
EOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	medium

- name: XCCDF Value login_banner_text # promote to variable
  set_fact:
    login_banner_text: !!str ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
  tags:
    - always

- name: Modify the System Login Banner for Remote Connections - ensure correct banner
  copy:
    dest: /etc/issue.net
    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - banner_etc_issue_net
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy

Modify the System Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_banner_etc_motd
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.1
Description	To configure the system message banner edit `/etc/motd`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Verify Group Ownership of System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.5
Description	To properly set the group owner of `/etc/issue`, run the command: $ sudo chgrp root /etc/issue
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.

Verify Group Ownership of System Login Banner for Remote Connections

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.6
Description	To properly set the group owner of `/etc/issue.net`, run the command: $ sudo chgrp root /etc/issue.net
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.

Verify Group Ownership of Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.4
Description	To properly set the group owner of `/etc/motd`, run the command: $ sudo chgrp root /etc/motd
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.

Verify ownership of System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_issue
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.5
Description	To properly set the owner of `/etc/issue`, run the command: $ sudo chown root /etc/issue
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.

Verify ownership of System Login Banner for Remote Connections

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.6
Description	To properly set the owner of `/etc/issue.net`, run the command: $ sudo chown root /etc/issue.net
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.

Verify ownership of Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_motd
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.4
Description	To properly set the owner of `/etc/motd`, run the command: $ sudo chown root /etc/motd
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.

Verify permissions on System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.5
Description	To properly set the permissions of `/etc/issue`, run the command: $ sudo chmod 0644 /etc/issue
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.

Verify permissions on System Login Banner for Remote Connections

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.6
Description	To properly set the permissions of `/etc/issue.net`, run the command: $ sudo chmod 0644 /etc/issue.net
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.

Verify permissions on Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_motd
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1.7.4
Description	To properly set the permissions of `/etc/motd`, run the command: $ sudo chmod 0644 /etc/motd
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.

Limit Password Reuse

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, 5.4.3
Description	Do not allow users to reuse recent passwords. This can be accomplished by using the `remember` option for the `pam_unix` or `pam_pwhistory` PAM modules.
Rationale	Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings	warning If the system relies on `authselect` tool to manage PAM settings, the remediation will also use `authselect` tool. However, if any manual modification was made in PAM files, the `authselect` integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. warning Newer versions of `authselect` contain an authselect feature to easily and properly enable `pam_pwhistory.so` module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null \| grep -q installed; then var_password_pam_unix_remember='5' if [ -e "/etc/pam.d/common-password" ] ; then valueRegex="$var_password_pam_unix_remember" defaultValue="$var_password_pam_unix_remember" # non-empty values need to be preceded by an equals sign [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}" # add an equals sign to non-empty values [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}" # fix 'type' if it's wrong if grep -q -P "^\\s(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_unix.so" < "/etc/pam.d/common-password" ; then sed --follow-symlinks -i -E -e "s/^(\\s)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_unix.so)/\\1password\\2/" "/etc/pam.d/common-password" fi # fix 'control' if it's wrong if grep -q -P "^\\spassword\\s+(?"'!'"\[success=[[:alnum:]].\])[[:alnum:]]+\\s+pam_unix.so" < "/etc/pam.d/common-password" ; then sed --follow-symlinks -i -E -e "s/^(\\spassword\\s+)[[:alnum:]]+(\\s+pam_unix.so)/\\1\[success=[[:alnum:]].\]\\2/" "/etc/pam.d/common-password" fi # fix the value for 'option' if one exists but does not match 'valueRegex' if grep -q -P "^\\spassword\\s+\[success=[[:alnum:]].\]\\s+pam_unix.so(\\s.+)?\\s+remember(?"'!'"${valueRegex}(\\s\|\$))" < "/etc/pam.d/common-password" ; then sed --follow-symlinks -i -E -e "s/^(\\spassword\\s+\[success=[[:alnum:]].\]\\s+pam_unix.so(\\s.+)?\\s)remember=[^[:space:]]/\\1remember${defaultValue}/" "/etc/pam.d/common-password" # add 'option=default' if option is not set elif grep -q -E "^\\spassword\\s+\[success=[[:alnum:]].\]\\s+pam_unix.so" < "/etc/pam.d/common-password" && grep -E "^\\spassword\\s+\[success=[[:alnum:]].\]\\s+pam_unix.so" < "/etc/pam.d/common-password" \| grep -q -E -v "\\sremember(=\|\\s\|\$)" ; then sed --follow-symlinks -i -E -e "s/^(\\spassword\\s+\[success=[[:alnum:]].\]\\s+pam_unix.so[^\\n])/\\1 remember${defaultValue}/" "/etc/pam.d/common-password" # add a new entry if none exists elif ! grep -q -P "^\\spassword\\s+\[success=[[:alnum:]].\]\\s+pam_unix.so(\\s.+)?\\s+remember${valueRegex}(\\s\|\$)" < "/etc/pam.d/common-password" ; then echo "password \[success=[[:alnum:]].*\] pam_unix.so remember${defaultValue}" >> "/etc/pam.d/common-password" fi else echo "/etc/pam.d/common-password doesn't exist" >&2 fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Lock Accounts After Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.4.2
Description	This rule configures the system to lock out accounts after a number of incorrect login attempts using `pam_faillock.so`. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected.
Rationale	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings	warning If the system relies on `authselect` tool to manage PAM settings, the remediation will also use `authselect` tool. However, if any manual modification was made in PAM files, the `authselect` integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the `/etc/security/faillock.conf` file, the pam_faillock parameters should be defined in `faillock.conf` file.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null \| grep -q installed; then var_accounts_passwords_pam_faillock_deny='4' if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-faillock authselect apply-changes -b else pam_file="/etc/pam.d/common-auth" if ! grep -qE '^\sauth\s+required\s+pam_faillock\.so\s+preauth.$' "$pam_file" ; then sed -i --follow-symlinks '/^auth.pam_unix\.so./i auth required pam_faillock.so preauth' "$pam_file" fi if ! grep -qE '^\sauth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.$' "$pam_file" ; then num_lines=$(sed -n 's/^auth.success=$[0-9]$.pam_unix\.so./\1/p' "$pam_file") if [ ! -z "$num_lines" ]; then echo "$num_lines" pattern="" for ((i=1; i <= num_lines; i++)); do pattern="${pattern}n;" done; sed -i --follow-symlinks '/^auth.pam_unix\.so./{'$pattern'a auth [default=die] pam_faillock.so authfail }' "$pam_file" else sed -i --follow-symlinks '/^auth.pam_unix\.so./a auth [default=die] pam_faillock.so authfail' "$pam_file" fi fi if ! grep -qE '^\sauth\s+sufficient\s+pam_faillock\.so\s+authsucc.$' "$pam_file" ; then sed -i --follow-symlinks '/^auth.pam_faillock\.so.authfail./a auth sufficient pam_faillock.so authsucc' "$pam_file" fi pam_file="/etc/pam.d/common-account" if ! grep -qE '^\saccount\s+required\s+pam_faillock\.so.$' "$pam_file" ; then echo 'account required pam_faillock.so' >> "$pam_file" fi fi AUTH_FILES=("/etc/pam.d/common-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then regex="^\sdeny\s=" line="deny = $var_accounts_passwords_pam_faillock_deny" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF else sed -i --follow-symlinks 's\|^\s$deny\s=\s$$\S\+$\|\1'"$var_accounts_passwords_pam_faillock_deny"'\|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do if [ -e "$pam_file" ] ; then PAM_FILE_PATH="$pam_file" if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r \| awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/ ]]; then ENABLED_FEATURES=$(authselect current \| tail -n+3 \| awk '{ print $2 }') authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "$pam_file") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b fi if grep -qP '^\sauth\s.\bpam_faillock.so\s.\bdeny\b' "$PAM_FILE_PATH"; then sed -i -E --follow-symlinks 's/(.auth.pam_faillock.so.)\bdeny\b=?[[:alnum:]](.)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then authselect apply-changes -b fi else echo "$pam_file was not found" >&2 fi done else for pam_file in "${AUTH_FILES[@]}" do if ! grep -qE '^\sauth.pam_faillock\.so (preauth\|authfail).deny' "$pam_file"; then sed -i --follow-symlinks '/^auth.required.pam_faillock\.so.preauth.silent./ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" sed -i --follow-symlinks '/^auth.required.pam_faillock\.so.authfail./ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" else sed -i --follow-symlinks 's/$^auth.required.pam_faillock\.so.preauth.silent.$$'"deny"'=$[0-9]\+$.$/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" sed -i --follow-symlinks 's/$^auth.required.pam_faillock\.so.authfail.$$'"deny"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" fi done fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Set Interval For Counting Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.4.2
Description	Utilizing `pam_faillock.so`, the `fail_interval` directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period.
Rationale	By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings	warning If the system relies on `authselect` tool to manage PAM settings, the remediation will also use `authselect` tool. However, if any manual modification was made in PAM files, the `authselect` integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the `/etc/security/faillock.conf` file, the pam_faillock parameters should be defined in `faillock.conf` file.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null \| grep -q installed; then var_accounts_passwords_pam_faillock_fail_interval='900' if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-faillock authselect apply-changes -b else pam_file="/etc/pam.d/common-auth" if ! grep -qE '^\sauth\s+required\s+pam_faillock\.so\s+preauth.$' "$pam_file" ; then sed -i --follow-symlinks '/^auth.pam_unix\.so./i auth required pam_faillock.so preauth' "$pam_file" fi if ! grep -qE '^\sauth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.$' "$pam_file" ; then num_lines=$(sed -n 's/^auth.success=$[0-9]$.pam_unix\.so./\1/p' "$pam_file") if [ ! -z "$num_lines" ]; then echo "$num_lines" pattern="" for ((i=1; i <= num_lines; i++)); do pattern="${pattern}n;" done; sed -i --follow-symlinks '/^auth.pam_unix\.so./{'$pattern'a auth [default=die] pam_faillock.so authfail }' "$pam_file" else sed -i --follow-symlinks '/^auth.pam_unix\.so./a auth [default=die] pam_faillock.so authfail' "$pam_file" fi fi if ! grep -qE '^\sauth\s+sufficient\s+pam_faillock\.so\s+authsucc.$' "$pam_file" ; then sed -i --follow-symlinks '/^auth.pam_faillock\.so.authfail./a auth sufficient pam_faillock.so authsucc' "$pam_file" fi pam_file="/etc/pam.d/common-account" if ! grep -qE '^\saccount\s+required\s+pam_faillock\.so.$' "$pam_file" ; then echo 'account required pam_faillock.so' >> "$pam_file" fi fi AUTH_FILES=("/etc/pam.d/common-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then regex="^\sfail_interval\s=" line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF else sed -i --follow-symlinks 's\|^\s$fail_interval\s=\s$$\S\+$\|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'\|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do if [ -e "$pam_file" ] ; then PAM_FILE_PATH="$pam_file" if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r \| awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/ ]]; then ENABLED_FEATURES=$(authselect current \| tail -n+3 \| awk '{ print $2 }') authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "$pam_file") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b fi if grep -qP '^\sauth\s.\bpam_faillock.so\s.\bfail_interval\b' "$PAM_FILE_PATH"; then sed -i -E --follow-symlinks 's/(.auth.pam_faillock.so.)\bfail_interval\b=?[[:alnum:]](.)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then authselect apply-changes -b fi else echo "$pam_file was not found" >&2 fi done else for pam_file in "${AUTH_FILES[@]}" do if ! grep -qE '^\sauth.pam_faillock\.so (preauth\|authfail).fail_interval' "$pam_file"; then sed -i --follow-symlinks '/^auth.required.pam_faillock\.so.preauth.silent./ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" sed -i --follow-symlinks '/^auth.required.pam_faillock\.so.authfail./ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" else sed -i --follow-symlinks 's/$^auth.required.pam_faillock\.so.preauth.silent.$$'"fail_interval"'=$[0-9]\+$.$/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" sed -i --follow-symlinks 's/$^auth.required.pam_faillock\.so.authfail.$$'"fail_interval"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" fi done fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Set Lockout Time for Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.4.2
Description	This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using `pam_faillock.so`. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as `authselect` or `authconfig`, depending on the OS version. If `unlock_time` is set to `0`, manual intervention by an administrator is required to unlock a user. This should be done using the `faillock` tool.
Rationale	By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings	warning If the system supports the new `/etc/security/faillock.conf` file but the pam_faillock.so parameters are defined directly in `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth`, the remediation will migrate the `unlock_time` parameter to `/etc/security/faillock.conf` to ensure compatibility with `authselect` tool. The parameters `deny` and `fail_interval`, if used, also have to be migrated by their respective remediation. warning If the system relies on `authselect` tool to manage PAM settings, the remediation will also use `authselect` tool. However, if any manual modification was made in PAM files, the `authselect` integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the `/etc/security/faillock.conf` file, the pam_faillock parameters should be defined in `faillock.conf` file.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null \| grep -q installed; then var_accounts_passwords_pam_faillock_unlock_time='600' if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-faillock authselect apply-changes -b else pam_file="/etc/pam.d/common-auth" if ! grep -qE '^\sauth\s+required\s+pam_faillock\.so\s+preauth.$' "$pam_file" ; then sed -i --follow-symlinks '/^auth.pam_unix\.so./i auth required pam_faillock.so preauth' "$pam_file" fi if ! grep -qE '^\sauth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.$' "$pam_file" ; then num_lines=$(sed -n 's/^auth.success=$[0-9]$.pam_unix\.so./\1/p' "$pam_file") if [ ! -z "$num_lines" ]; then echo "$num_lines" pattern="" for ((i=1; i <= num_lines; i++)); do pattern="${pattern}n;" done; sed -i --follow-symlinks '/^auth.pam_unix\.so./{'$pattern'a auth [default=die] pam_faillock.so authfail }' "$pam_file" else sed -i --follow-symlinks '/^auth.pam_unix\.so./a auth [default=die] pam_faillock.so authfail' "$pam_file" fi fi if ! grep -qE '^\sauth\s+sufficient\s+pam_faillock\.so\s+authsucc.$' "$pam_file" ; then sed -i --follow-symlinks '/^auth.pam_faillock\.so.authfail./a auth sufficient pam_faillock.so authsucc' "$pam_file" fi pam_file="/etc/pam.d/common-account" if ! grep -qE '^\saccount\s+required\s+pam_faillock\.so.$' "$pam_file" ; then echo 'account required pam_faillock.so' >> "$pam_file" fi fi AUTH_FILES=("/etc/pam.d/common-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then regex="^\sunlock_time\s=" line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF else sed -i --follow-symlinks 's\|^\s$unlock_time\s=\s$$\S\+$\|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'\|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do if [ -e "$pam_file" ] ; then PAM_FILE_PATH="$pam_file" if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r \| awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/ ]]; then ENABLED_FEATURES=$(authselect current \| tail -n+3 \| awk '{ print $2 }') authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "$pam_file") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b fi if grep -qP '^\sauth\s.\bpam_faillock.so\s.\bunlock_time\b' "$PAM_FILE_PATH"; then sed -i -E --follow-symlinks 's/(.auth.pam_faillock.so.)\bunlock_time\b=?[[:alnum:]](.)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then authselect apply-changes -b fi else echo "$pam_file was not found" >&2 fi done else for pam_file in "${AUTH_FILES[@]}" do if ! grep -qE '^\sauth.pam_faillock\.so (preauth\|authfail).unlock_time' "$pam_file"; then sed -i --follow-symlinks '/^auth.required.pam_faillock\.so.preauth.silent./ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" sed -i --follow-symlinks '/^auth.required.pam_faillock\.so.authfail./ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" else sed -i --follow-symlinks 's/$^auth.required.pam_faillock\.so.preauth.silent.$$'"unlock_time"'=$[0-9]\+$.$/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" sed -i --follow-symlinks 's/$^auth.required.pam_faillock\.so.authfail.$$'"unlock_time"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" fi done fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, 5.4.1

Description

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_dcredit='-1'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_dcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_dcredit # promote to variable
  set_fact:
    var_password_pam_dcredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Ensure
    PAM variable dcredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*dcredit
    line: dcredit = {{ var_password_pam_dcredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_dcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, 5.4.1

Description

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_lcredit='-1'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_lcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_lcredit # promote to variable
  set_fact:
    var_password_pam_lcredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters -
    Ensure PAM variable lcredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*lcredit
    line: lcredit = {{ var_password_pam_lcredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_lcredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, 5.4.1

Description

The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_minclass='4'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_minclass
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minclass # promote to variable
  set_fact:
    var_password_pam_minclass: !!str 4
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories -
    Ensure PAM variable minclass is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minclass
    line: minclass = {{ var_password_pam_minclass }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_minclass
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure PAM Enforces Password Requirements - Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, 5.4.1

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=14 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_minlen='14'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.6.2.1.1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minlen # promote to variable
  set_fact:
    var_password_pam_minlen: !!str 14
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable
    minlen is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minlen
    line: minlen = {{ var_password_pam_minlen }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - CJIS-5.6.2.1.1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure PAM Enforces Password Requirements - Minimum Special Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, 5.4.1

Description

The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_ocredit='-1'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ocredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ocredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_ocredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_ocredit # promote to variable
  set_fact:
    var_password_pam_ocredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters - Ensure
    PAM variable ocredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*ocredit
    line: ocredit = {{ var_password_pam_ocredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_ocredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, 5.4.1
Description	To configure the number of retry prompts that are permitted per-session: Edit the `pam_pwquality.so` statement in `/etc/pam.d/common-password` to show `retry=3`, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.
Rationale	Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null \| grep -q installed; then var_password_pam_retry='3' if [ -e "/etc/pam.d/common-password" ] ; then valueRegex="$var_password_pam_retry" defaultValue="$var_password_pam_retry" # non-empty values need to be preceded by an equals sign [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}" # add an equals sign to non-empty values [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}" # fix 'type' if it's wrong if grep -q -P "^\\s(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then sed --follow-symlinks -i -E -e "s/^(\\s)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_pwquality.so)/\\1password\\2/" "/etc/pam.d/common-password" fi # fix 'control' if it's wrong if grep -q -P "^\\spassword\\s+(?"'!'"requisite)[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then sed --follow-symlinks -i -E -e "s/^(\\spassword\\s+)[[:alnum:]]+(\\s+pam_pwquality.so)/\\1requisite\\2/" "/etc/pam.d/common-password" fi # fix the value for 'option' if one exists but does not match 'valueRegex' if grep -q -P "^\\spassword\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry(?"'!'"${valueRegex}(\\s\|\$))" < "/etc/pam.d/common-password" ; then sed --follow-symlinks -i -E -e "s/^(\\spassword\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s)retry=[^[:space:]]/\\1retry${defaultValue}/" "/etc/pam.d/common-password" # add 'option=default' if option is not set elif grep -q -E "^\\spassword\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" && grep -E "^\\spassword\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" \| grep -q -E -v "\\sretry(=\|\\s\|\$)" ; then sed --follow-symlinks -i -E -e "s/^(\\spassword\\s+requisite\\s+pam_pwquality.so[^\\n])/\\1 retry${defaultValue}/" "/etc/pam.d/common-password" # add a new entry if none exists elif ! grep -q -P "^\\spassword\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry${valueRegex}(\\s\|\$)" < "/etc/pam.d/common-password" ; then echo "password requisite pam_pwquality.so retry${defaultValue}" >> "/etc/pam.d/common-password" fi else echo "/etc/pam.d/common-password doesn't exist" >&2 fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Result

fail

Time 2023-11-03T10:26:26

Severity medium

Identifiers and References

References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, 5.4.1

Description

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_ucredit='-1'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_ucredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_ucredit # promote to variable
  set_fact:
    var_password_pam_ucredit: !!str -1
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters -
    Ensure PAM variable ucredit is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*ucredit
    line: ucredit = {{ var_password_pam_ucredit }}
  when: '"libpam-runtime" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_ucredit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Set Password Hashing Algorithm in /etc/login.defs

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, 5.4.4
Description	In `/etc/login.defs`, add or correct the following line to ensure the system will use yescrypt as the hashing algorithm: ENCRYPT_METHOD yescrypt
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using a stronger hashing algorithm makes password cracking attacks more difficult.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null \| grep -q installed; then var_password_hashing_algorithm='yescrypt' if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs else echo "" >> /etc/login.defs echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Set Account Expiration Following Inactivity

Rule ID	xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, 5.5.1.4
Description	To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in `/etc/default/useradd`: INACTIVE=30 If a password is currently on the verge of expiration, then `30` day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus `30` day(s) could elapse until the account would be automatically disabled. See the `useradd` man page for more information.
Rationale	Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
Remediation Shell script: (show) # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null \| grep -q installed; then var_account_disable_post_pw_expiration='30' # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "/etc/default/useradd"; then sed_command+=('--follow-symlinks') fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "^INACTIVE") # shellcheck disable=SC2059 printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then escaped_formatted_output=$(sed -e 's\|/\|\\/\|g' <<< "$formatted_output") "${sed_command[@]}" "s/^INACTIVE\\>./$escaped_formatted_output/gi" "/etc/default/useradd" else # \n is precaution for case where file ends without trailing newline printf '%s\n' "$formatted_output" >> "/etc/default/useradd" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi

Ensure All Accounts on the System Have Unique Names

Rule ID	xccdf_org.ssgproject.content_rule_account_unique_name
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: 5.5.2, CCI-000770, CCI-000804, Req-8.1.1, 6.2.7
Description	Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: $ sudo getent passwd \| awk -F: '{ print $1}' \| uniq -d If a username is returned, change or delete the username.
Rationale	Unique usernames allow for accountability on the system.

Ensure shadow group is empty

Rule ID	xccdf_org.ssgproject.content_rule_ensure_shadow_group_empty
Result	pass
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: Req-8.2.1, 6.2.4
Description	The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.
Rationale	Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Set Password Maximum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
Result	fail
Time	2023-11-03T10:26:26
Severity	medium
Identifiers and References	References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2,