-
Notifications
You must be signed in to change notification settings - Fork 4
/
profile.json
7139 lines (7139 loc) · 955 KB
/
profile.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"name": "Canonical_Ubuntu_20-04_LTS_STIG",
"title": "Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide",
"maintainer": "Nitin Ravindran",
"copyright": "Nitin Ravindran",
"copyright_email": "[email protected]",
"license": "Apache-2.0",
"summary": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].",
"version": "1.6.0",
"supports": [
{
"platform-name": "ubuntu",
"release": "20.04"
}
],
"inputs": [
{
"name": "temporary_accounts",
"options": {
"type": "Array",
"value": []
}
},
{
"name": "banner_text",
"options": {
"type": "String",
"value": "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
}
},
{
"name": "sudo_accounts",
"options": {
"type": "Array",
"value": [
"ubuntu"
]
}
},
{
"name": "tmout",
"options": {
"type": "Numeric",
"value": 600
}
},
{
"name": "action_mail_acct",
"options": {
"type": "String",
"value": "root"
}
},
{
"name": "audit_tools",
"options": {
"type": "Array",
"value": [
"/sbin/auditctl",
"/sbin/aureport",
"/sbin/ausearch",
"/sbin/autrace",
"/sbin/auditd",
"/sbin/audispd",
"/sbin/augenrules"
]
}
},
{
"name": "standard_audit_log_size",
"options": {
"type": "Numeric",
"value": 8894028
}
},
{
"name": "aide_conf_path",
"options": {
"type": "String",
"value": "/etc/aide/aide.conf"
}
},
{
"name": "maxlogins",
"options": {
"type": "Numeric",
"value": 10
}
},
{
"name": "is_kdump_required",
"options": {
"type": "Boolean",
"value": false
}
},
{
"name": "is_system_networked",
"options": {
"type": "Boolean",
"value": true
}
},
{
"name": "sssd_conf_path",
"options": {
"type": "String",
"value": "/etc/sssd/sssd.conf"
}
},
{
"name": "allowed_ca_fingerprints_regex",
"options": {
"type": "String",
"value": "(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"
}
},
{
"name": "allowed_network_interfaces",
"options": {
"type": "Array",
"value": [
"lo",
"eth0"
]
}
},
{
"name": "audit_sp_remote_server",
"options": {
"type": "String",
"value": "192.0.0.1"
}
},
{
"name": "approved_wireless_interfaces",
"options": {
"type": "Array",
"value": []
}
},
{
"name": "fips_config_file",
"options": {
"type": "String",
"value": "/proc/sys/crypto/fips_enabled"
}
},
{
"name": "chrony_config_file",
"options": {
"type": "String",
"value": "/etc/chrony/chrony.conf"
}
},
{
"name": "useradd_config_file",
"options": {
"type": "String",
"value": "/etc/default/useradd"
}
},
{
"name": "rsyslog_config_file",
"options": {
"type": "String",
"value": "/etc/rsyslog.d/50-default.conf"
}
},
{
"name": "auditoffload_config_file",
"options": {
"type": "String",
"value": "/etc/cron.weekly/audit-offload"
}
},
{
"name": "audispremote_config_file",
"options": {
"type": "String",
"value": "/etc/audisp/plugins.d/au-remote.conf"
}
},
{
"name": "gdm3_config_file",
"options": {
"type": "String",
"value": "/etc/gdm3/greeter.dconf-defaults"
}
},
{
"name": "disable_fips",
"options": {
"type": "Boolean",
"value": false
}
},
{
"name": "pki_disabled",
"options": {
"type": "Boolean",
"value": false
}
},
{
"name": "admin_groups",
"options": {
"type": "Array",
"value": [
"root"
]
}
}
],
"controls": [
{
"title": "The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ",
"desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.",
"descriptions": {
"default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.",
"check": "Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding.",
"fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000258-GPOS-00099 ",
"gid": "V-238344 ",
"rid": "SV-238344r654207_rule ",
"stig_id": "UBTU-20-010423 ",
"fix_id": "F-41513r654206_fix ",
"cci": [
"CCI-001495"
],
"nist": [
"AU-9"
],
"host": null,
"container": null
},
"code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238344.rb",
"line": 1
},
"id": "SV-238344"
},
{
"title": "The Ubuntu operating system library files must be owned by root. ",
"desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"descriptions": {
"default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding.",
"fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000259-GPOS-00100 ",
"gid": "V-238349 ",
"rid": "SV-238349r654222_rule ",
"stig_id": "UBTU-20-010428 ",
"fix_id": "F-41518r654221_fix ",
"cci": [
"CCI-001499"
],
"nist": [
"CM-5 (6)"
],
"host": null,
"container": null
},
"code": "control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238349.rb",
"line": 1
},
"id": "SV-238349"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"check": "Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"gid": "V-238255 ",
"rid": "SV-238255r653940_rule ",
"stig_id": "UBTU-20-010139 ",
"fix_id": "F-41424r653939_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238255.rb",
"line": 1
},
"id": "SV-238255"
},
{
"title": "The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ",
"desc": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.",
"descriptions": {
"default": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.",
"check": "Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding.",
"fix": "Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."
},
"impact": 0.3,
"refs": [],
"tags": {
"severity": "low ",
"gtitle": "SRG-OS-000479-GPOS-00224 ",
"gid": "V-238321 ",
"rid": "SV-238321r853428_rule ",
"stig_id": "UBTU-20-010300 ",
"fix_id": "F-41490r654137_fix ",
"cci": [
"CCI-001851"
],
"nist": [
"AU-4 (1)"
],
"host": null,
"container": null
},
"code": "control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host', 'container'\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238321.rb",
"line": 1
},
"id": "SV-238321"
},
{
"title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ",
"desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.",
"descriptions": {
"default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.",
"check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.",
"fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"
},
"impact": 0.3,
"refs": [],
"tags": {
"severity": "low ",
"gtitle": "SRG-OS-000071-GPOS-00039 ",
"gid": "V-238223 ",
"rid": "SV-238223r653844_rule ",
"stig_id": "UBTU-20-010052 ",
"fix_id": "F-41392r653843_fix ",
"cci": [
"CCI-000194"
],
"nist": [
"IA-5 (1) (a)"
],
"host": null,
"container": null
},
"code": "control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238223.rb",
"line": 1
},
"id": "SV-238223"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"satisfies": [
"SRG-OS-000064-GPOS-00033",
"SRG-OS-000462-GPOS-00206"
],
"gid": "V-238264 ",
"rid": "SV-238264r808477_rule ",
"stig_id": "UBTU-20-010148 ",
"fix_id": "F-41433r808476_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238264.rb",
"line": 1
},
"id": "SV-238264"
},
{
"title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ",
"desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"descriptions": {
"default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.",
"fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000004-GPOS-00004 ",
"satisfies": [
"SRG-OS-000004-GPOS-00004",
"SRG-OS-000239-GPOS-00089",
"SRG-OS-000240-GPOS-00090",
"SRG-OS-000241-GPOS-00091",
"SRG-OS-000303-GPOS-00120",
"SRG-OS-000458-GPOS-00203",
"SRG-OS-000463-GPOS-00207",
"SRG-OS-000476-GPOS-00221"
],
"gid": "V-238238 ",
"rid": "SV-238238r853416_rule ",
"stig_id": "UBTU-20-010100 ",
"fix_id": "F-41407r653888_fix ",
"cci": [
"CCI-000018",
"CCI-000172",
"CCI-001403",
"CCI-001404",
"CCI-001405",
"CCI-002130"
],
"nist": [
"AC-2 (4)",
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238238.rb",
"line": 1
},
"id": "SV-238238"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"satisfies": [
"SRG-OS-000064-GPOS-00033",
"SRG-OS-000462-GPOS-00206"
],
"gid": "V-238268 ",
"rid": "SV-238268r808480_rule ",
"stig_id": "UBTU-20-010152 ",
"fix_id": "F-41437r808479_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238268.rb",
"line": 1
},
"id": "SV-238268"
},
{
"title": "The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"check": "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"satisfies": [
"SRG-OS-000064-GPOS-00033",
"SRG-OS-000470-GPOS-00214",
"SRG-OS-000473-GPOS-00218"
],
"gid": "V-238287 ",
"rid": "SV-238287r654036_rule ",
"stig_id": "UBTU-20-010171 ",
"fix_id": "F-41456r654035_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238287.rb",
"line": 1
},
"id": "SV-238287"
},
{
"title": "The Ubuntu operating system library directories must be owned by root. ",
"desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"descriptions": {
"default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding.",
"fix": "Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000259-GPOS-00100 ",
"gid": "V-238350 ",
"rid": "SV-238350r654225_rule ",
"stig_id": "UBTU-20-010429 ",
"fix_id": "F-41519r654224_fix ",
"cci": [
"CCI-001499"
],
"nist": [
"CM-5 (6)"
],
"host": null,
"container": null
},
"code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238350.rb",
"line": 1
},
"id": "SV-238350"
},
{
"title": "The Ubuntu operating system must not allow accounts configured with blank or null passwords. ",
"desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.",
"descriptions": {
"default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.",
"check": "To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding.",
"fix": "If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."
},
"impact": 0.7,
"refs": [],
"tags": {
"severity": "high ",
"gtitle": "SRG-OS-000480-GPOS-00227 ",
"gid": "V-251504 ",
"rid": "SV-251504r832977_rule ",
"stig_id": "UBTU-20-010463 ",
"fix_id": "F-54893r832976_fix ",
"cci": [
"CCI-000366"
],
"nist": [
"CM-6 b"
],
"host": null
},
"code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-251504.rb",
"line": 1
},
"id": "SV-251504"
},
{
"title": "The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ",
"desc": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.",
"descriptions": {
"default": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.",
"check": "If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding.",
"fix": "Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."
},
"impact": 0.3,
"refs": [],
"tags": {
"severity": "low ",
"gtitle": "SRG-OS-000383-GPOS-00166 ",
"gid": "V-238362 ",
"rid": "SV-238362r853437_rule ",
"stig_id": "UBTU-20-010441 ",
"fix_id": "F-41531r654260_fix ",
"cci": [
"CCI-002007"
],
"nist": [
"IA-5 (13)"
],
"host": null
},
"code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238362.rb",
"line": 1
},
"id": "SV-238362"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"check": "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.",
"fix": "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"satisfies": [
"SRG-OS-000064-GPOS-00033",
"SRG-OS-000474-GPOS-00219"
],
"gid": "V-238271 ",
"rid": "SV-238271r808483_rule ",
"stig_id": "UBTU-20-010155 ",
"fix_id": "F-41440r808482_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238271.rb",
"line": 1
},
"id": "SV-238271"
},
{
"title": "The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ",
"desc": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.",
"descriptions": {
"default": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.",
"check": "Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding.",
"fix": "Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000138-GPOS-00069 ",
"gid": "V-238332 ",
"rid": "SV-238332r654171_rule ",
"stig_id": "UBTU-20-010411 ",
"fix_id": "F-41501r654170_fix ",
"cci": [
"CCI-001090"
],
"nist": [
"SC-4"
],
"host": null,
"container": null
},
"code": "control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host', 'container'\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238332.rb",
"line": 1
},
"id": "SV-238332"
},
{
"title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ",
"desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"descriptions": {
"default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.",
"fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000004-GPOS-00004 ",
"satisfies": [
"SRG-OS-000004-GPOS-00004",
"SRG-OS-000239-GPOS-00089",
"SRG-OS-000240-GPOS-00090",
"SRG-OS-000241-GPOS-00091",
"SRG-OS-000303-GPOS-00120",
"SRG-OS-000458-GPOS-00203",
"SRG-OS-000476-GPOS-00221"
],
"gid": "V-238240 ",
"rid": "SV-238240r853418_rule ",
"stig_id": "UBTU-20-010102 ",
"fix_id": "F-41409r653894_fix ",
"cci": [
"CCI-000018",
"CCI-000172",
"CCI-001403",
"CCI-001404",
"CCI-001405",
"CCI-002130"
],
"nist": [
"AC-2 (4)",
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238240.rb",
"line": 1
},
"id": "SV-238240"
},
{
"title": "The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ",
"desc": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.",
"descriptions": {
"default": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.",
"check": "Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding.",
"fix": "Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"
},
"impact": 0.7,
"refs": [],
"tags": {
"severity": "high ",
"gtitle": "SRG-OS-000134-GPOS-00068 ",
"gid": "V-238206 ",
"rid": "SV-238206r653793_rule ",
"stig_id": "UBTU-20-010012 ",
"fix_id": "F-41375r653792_fix ",
"cci": [
"CCI-001084"
],
"nist": [
"SC-3"
],
"host": null,
"container": null
},
"code": "control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host', 'container'\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238206.rb",
"line": 1
},
"id": "SV-238206"
},
{
"title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ",
"desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.",
"descriptions": {
"default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.",
"check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding.",
"fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000447-GPOS-00201 ",
"gid": "V-238372 ",
"rid": "SV-238372r853449_rule ",
"stig_id": "UBTU-20-010451 ",
"fix_id": "F-41541r654290_fix ",
"cci": [
"CCI-002702"
],
"nist": [
"SI-6 d"
],
"host": null,
"container": null
},
"code": "control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238372.rb",
"line": 1
},
"id": "SV-238372"
},
{
"title": "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ",
"desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.",
"descriptions": {
"default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.",
"check": "Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding.",
"fix": "Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000376-GPOS-00161 ",
"gid": "V-238231 ",
"rid": "SV-238231r853411_rule ",
"stig_id": "UBTU-20-010064 ",
"fix_id": "F-41400r653867_fix ",
"cci": [
"CCI-001953"
],
"nist": [
"IA-2 (12)"
],
"host": null,
"container": null
},
"code": "control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n tag 'host', 'container'\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238231.rb",
"line": 1
},
"id": "SV-238231"
},
{
"title": "The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ",
"desc": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.",
"descriptions": {
"default": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.",
"check": "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding.",
"fix": "Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000066-GPOS-00034 ",
"gid": "V-238229 ",
"rid": "SV-238229r653862_rule ",
"stig_id": "UBTU-20-010060 ",
"fix_id": "F-41398r653861_fix ",
"cci": [
"CCI-000185"
],
"nist": [
"IA-5 (2) (b) (1)"
],
"host": null
},
"code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238229.rb",
"line": 1
},
"id": "SV-238229"
},
{
"title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ",
"desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"descriptions": {
"default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.",
"fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000004-GPOS-00004 ",
"satisfies": [
"SRG-OS-000004-GPOS-00004",
"SRG-OS-000239-GPOS-00089",
"SRG-OS-000240-GPOS-00090",
"SRG-OS-000241-GPOS-00091",
"SRG-OS-000303-GPOS-00120",
"SRG-OS-000458-GPOS-00203",
"SRG-OS-000476-GPOS-00221"
],
"gid": "V-238239 ",
"rid": "SV-238239r853417_rule ",
"stig_id": "UBTU-20-010101 ",
"fix_id": "F-41408r653891_fix ",
"cci": [
"CCI-000018",
"CCI-000172",
"CCI-001403",
"CCI-001404",
"CCI-001405",
"CCI-002130"
],
"nist": [
"AC-2 (4)",
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238239.rb",
"line": 1
},
"id": "SV-238239"
},
{
"title": "The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ",
"desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.",
"descriptions": {
"default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.",
"check": "Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding.",
"fix": "Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000057-GPOS-00027 ",
"satisfies": [
"SRG-OS-000057-GPOS-00027",
"SRG-OS-000058-GPOS-00028"
],
"gid": "V-238245 ",
"rid": "SV-238245r653910_rule ",
"stig_id": "UBTU-20-010122 ",
"fix_id": "F-41414r653909_fix ",
"cci": [
"CCI-000162",
"CCI-000163"
],
"nist": [
"AU-9 a"
],
"host": null
},
"code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238245.rb",
"line": 1
},
"id": "SV-238245"
},
{
"title": "The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ",
"desc": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.",
"descriptions": {
"default": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.",
"check": "Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding.",
"fix": "Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000480-GPOS-00228 ",
"gid": "V-238209 ",
"rid": "SV-238209r653802_rule ",
"stig_id": "UBTU-20-010016 ",
"fix_id": "F-41378r653801_fix ",
"cci": [
"CCI-000366"
],
"nist": [
"CM-6 b"
],
"host": null,
"container": null
},
"code": "control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238209.rb",
"line": 1
},
"id": "SV-238209"
},
{
"title": "The Ubuntu operating system must disable all wireless network adapters. ",
"desc": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.",